OWASP AppSec DC 2012/Training/Virtual Patching Workshop - Revision history

Achim at 21:35, 10 November 2014

2014-11-10T21:35:11Z

Achim: category changed to OWASP/Training AppSec_DC_2012

2014-11-10T21:02:24Z

category changed to OWASP/Training AppSec_DC_2012

Rcbarnett at 18:14, 20 March 2012

2012-03-20T18:14:36Z

Mark.bristow: Created page with "NOTOC {{:OWASP AppSec DC 2012 Header}} ==Description== '''Course Length: 2 Day''' Identification of web application vulnerabilities is only half the battle with remediati..."

2012-01-18T01:41:10Z

Created page with "__NOTOC__ {{:OWASP AppSec DC 2012 Header}} ==Description== '''Course Length: 2 Day''' Identification of web application vulnerabilities is only half the battle with remediati..."

New page

__NOTOC__
{{:OWASP AppSec DC 2012 Header}}
==Description==
'''Course Length: 2 Day'''

Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br><br>This workshop is intended to provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the workshop, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this workshop is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.
==Student Requirements==
Laptop Required:
Students Need to Bring:

==Objectives==
Audience: Technical, Operations
Skill Level: Intermediate

1) Understand Virtual Patching Concepts<br>2) Evaluate if virtual patching is appropriate<br>3) Practice constructing virtual patches for various types of vulnerabilties
==Instructor==
Ryan Barnett
[[Category:AppSec_DC_2012_Training]]
{{:OWASP AppSec DC 2012 Footer}}

@@ Line 22: / Line 22: @@
 ==Instructor==
 Ryan Barnett
-[[Category:OWASP/Training AppSec_DC_2012]]
+[[Category:OWASP Training/AppSec_DC_2012]]
 {{:OWASP AppSec DC 2012 Footer}}

@@ Line 5: / Line 5: @@
 Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br><br>This workshop is intended to provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the workshop, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this workshop is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.
 ==Student Requirements==
-Laptop Required:
+Laptop Required: Yes
 Students Need to Bring:

OWASP AppSec DC 2012/Training/Virtual Patching Workshop - Revision history

Achim at 21:35, 10 November 2014

Achim: category changed to OWASP/Training AppSec_DC_2012

Rcbarnett at 18:14, 20 March 2012

Mark.bristow: Created page with "__NOTOC__ {{:OWASP AppSec DC 2012 Header}} ==Description== '''Course Length: 2 Day''' Identification of web application vulnerabilities is only half the battle with remediati..."

Mark.bristow: Created page with "NOTOC {{:OWASP AppSec DC 2012 Header}} ==Description== '''Course Length: 2 Day''' Identification of web application vulnerabilities is only half the battle with remediati..."