This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP AppSec DC 2012/Training/Virtual Patching Workshop

From OWASP
Jump to: navigation, search

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

Description

Course Length: 2 Day

Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.

This workshop is intended to provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the workshop, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this workshop is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

See the recent OWASP Virtual Patching Survey for a selection of topic areas we will discuss in depth: http://blog.spiderlabs.com/2012/03/owasp-virtual-patching-survey-results.html

Student Requirements

Laptop Required: Yes

Students Need to Bring:


Objectives

Audience: Technical, Operations Skill Level: Intermediate

1) Understand Virtual Patching Concepts
2) Evaluate if virtual patching is appropriate
3) Practice constructing virtual patches for various types of vulnerabilties

Instructor

Ryan Barnett

Gold Sponsors

 Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

 SPL-LOGO-MED.png

Small Business

 AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

 link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Training/Virtual_Patching_Workshop&oldid=185128"