Remote Testing for Common Web Application Security Threats - Revision history

Achim: category OWASP/Training changed to OWASP Training

2014-11-10T21:23:07Z

category OWASP/Training changed to OWASP Training

Achim: category changed to OWASP/Training AppSec_DC_2010

2014-11-10T20:48:59Z

category changed to OWASP/Training AppSec_DC_2010

Achim at 20:32, 10 November 2014

2014-11-10T20:32:25Z

Achim: category changed to OWASP/Training

2014-11-10T20:31:57Z

category changed to OWASP/Training

Mark.bristow: /* Description */

2010-09-21T21:11:48Z

‎Description

Mark.bristow: Created page with 'NOTOC link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010 [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=…'

2010-09-21T20:17:03Z

Created page with '__NOTOC__ link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010 [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=…'

New page

__NOTOC__
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]

[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]
<br>
==Description==
'''Course Length: 2 Days'''
The proliferation of web-based applications has increased the enterprise's exposure to a variety of threats. There are overarching steps that can and should be taken at various steps in the application's lifecycle to prevent or mitigate these threats, such as implementing secure design and coding practices, performing source code audits, and maintaining proper audit trails to detect unauthorized use.

This workshop will enable students to test the security of web-based applications from the perspective of the end user. Security testing helps to fulfill industry best practices and validate implementation. Security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.

The most common threats and their potential impact will be covered (based on the industry standard OWASP "Top Ten" – see http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project). Hands-on labs and demonstrations will be used to teach the tools and techniques needed to remotely detect and validate the presence of these threats.

==Student Requirements==
You will need to bring your own notebook computer. Each student will be given a virtual machine containing open-source OS, tools, documentation, and targets for a fully self-containing web app security testing environment. Training will feature the open-source project “Web Application Security Dojo” (http://dojo.mavensecurity.com)

Student systems should meet the following minimum requirements
# Prior to the workshop install the latest stable version of VirtualBox. (Free from [http://www.virtualbox.org/]). VirtualBox runs on almost any OS (sorry, no Amiga support).
# Your system should be updated with the latest security patches for your own protection if you opt to get on the classroom/conference network.
# If you use a Windows OS then the file system must be NTFS or better in order to handle large files. FAT32 will not work! See [http://answers.yahoo.com/question/index?qid=20071114114830AAOlJRN] for help determining which file system you have.
# Optional: Wifi network card. A network connection is not required because the virtual machine will contain the targets – however, Internet access is always handy.
# Optional: Student should have Administrator access to the OS in case they need to install new software during class. This will not be necessary once VirtualBox is installed. Again, be sure to have VirtualBox installed (step 1 above) before you arrive at class.
# Hard drive should have at least 5 GB of free space.
# 1 GB of RAM (more is better); 2 GB of RAM if you are using Vista.
# Modern CPU (last 2-3 years); if you have 1+ GB of RAM you are probably fine.

==Objectives==
Skill: Basic, Intermediate, Advanced
# Understand the security threats facing web applications.
# Learn the tools and techniques to remotely validate a web application's security.
# Enhance secure programming practices by raising awareness and giving developers and auditors the tools & knowledge needed to test their web application’s security from the user's perspective.
# Suggestions for mitigating security risks in web applications

==Instructor==
'''Instructor: ''' David Rhoades is a senior consultant with Maven Security Consulting Inc. ([www.mavensecurity.com]). Maven Security Consulting Inc. is a Delaware corporation that provides information security assessments and training services to a global clientele.

David’s expertise includes web application security, network security architectures, and vulnerability assessments. Past customers have included domestic and international companies in various industries, as well as various US government agencies. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore).

David has taught at various security conferences around the globe, including for USENIX (www.usenix.org), MIS Training Institute ([www.misti.com]), and ISACA ([www.isaca.org]).

David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University (psu.edu).

[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]] [[Category:Intermediate_Training]]][[Category:Advanced_Training]]]

← Older revision		Revision as of 21:23, 10 November 2014
Line 45:		Line 45:


−	[[Category:OWASP/~~Training~~ AppSec_DC_2010]] [[Category:OWASP/~~Training~~ Basic]]	+	[[Category:OWASP Training/AppSec_DC_2010]] [[Category:OWASP Training/Basic]]

← Older revision		Revision as of 20:48, 10 November 2014
Line 45:		Line 45:


−	[[Category:~~AppSec_DC_2010_Training~~]] [[Category:~~Basic_Training~~]]	+	[[Category:OWASP/Training AppSec_DC_2010]] [[Category:OWASP/Training Basic]]

← Older revision		Revision as of 20:32, 10 November 2014
Line 45:		Line 45:


−	[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training~~]] [[Category:Intermediate_Training]~~]]	+	[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]

← Older revision		Revision as of 20:31, 10 November 2014
Line 45:		Line 45:


−	[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]] [[Category:Intermediate_Training~~]]][[Category:Advanced_Training~~]]]	+	[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]] [[Category:Intermediate_Training]]]

@@ Line 6: / Line 6: @@
 ==Description==
 '''Course Length: 2 Days'''
 The proliferation of web-based applications has increased the enterprise's exposure to a variety of threats.  There are overarching steps that can and should be taken at various steps in the application's lifecycle to prevent or mitigate these threats, such as implementing secure design and coding practices, performing source code audits, and maintaining proper audit trails to detect unauthorized use.
 This workshop will enable students to test the security of web-based applications from the perspective of the end user.  Security testing helps to fulfill industry best practices and validate implementation.  Security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.
 The most common threats and their potential impact will be covered (based on the industry standard OWASP "Top Ten" – see http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).   Hands-on labs and demonstrations will be used to teach the tools and techniques needed to remotely detect and validate the presence of these threats.
 ==Student Requirements==