This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP AppSec Europe 2008 - Belgium/Training"
(→T2. Leader-Managemet training (tbd - Dave) - 1-Day Course - May 20, 2008) |
(→Conference Training - One and Two Day Training Courses - May 19th-20th, 2008) |
||
(13 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | == Conference Training | + | == Conference Training - One and Two Day Training Courses - May 19th-20th, 2008 == |
− | OWASP has arranged to have | + | OWASP has arranged to have three 2-day and two 1-day Application Security training courses prior to the conference. |
− | + | The first four courses will be provided by a long time contributor to OWASP, Aspect Security. The fifth course is being provided by frequent OWASP/WASC contributor Breach Security. We are always looking for good training providers, so if you have a great application security course to offer, please let OWASP know you are interested and we'll see if we can work you into to a future conference. The more variety of classes and vendors, the better! | |
These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts. | These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts. | ||
Line 9: | Line 9: | ||
{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2" | {| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2" | ||
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div> | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div> | ||
− | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications</div> | + | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[OWASP_AppSec_Europe_2008_-_Belgium/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day Course_-_May_19-20,_2008 | Building and Testing Secure Web Applications - 2-Day Course]]</div> |
|- | |- | ||
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div> | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div> | ||
− | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;"> | + | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[OWASP_AppSec_Europe_2008_-_Belgium/Training#T2._Leading_the_Development_of_Secure_Applications_-_1-Day_Course_-_May_19,_2008 | Leading the Development of Secure Applications - 1-Day Course (May 19th)]]</div> |
|- | |- | ||
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div> | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div> | ||
− | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building Secure Rich Internet Applications ( | + | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[OWASP_AppSec_Europe_2008_-_Belgium/Training#T3._Building_Secure_Rich_Internet_Applications_-_1-Day_Course_-_May_20,_2008 | Building Secure Rich Internet Applications - 1-Day Course (May 20th)]]</div> |
|- | |- | ||
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div> | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div> | ||
− | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services | + | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[OWASP_AppSec_Europe_2008_-_Belgium/Training#T4._Building_Secure_Web_Services_-_2-Day_Course_-_May_19-20,_2008 | Building Secure Web Services - 2-Day Course]]</div> |
|- | |- | ||
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T5</div> | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T5</div> | ||
− | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">ModSecurity Boot-Camp Training</div> | + | ! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[OWASP_AppSec_Europe_2008_-_Belgium/Training#T5._ModSecurity_Boot-Camp_Training_-_2-Day_Course_-_May_19-20,_2008 | ModSecurity Boot-Camp Training - 2-Day Course]]</div> |
|} | |} | ||
<center>*Note: Information corresponding to each training course is located below.</center> | <center>*Note: Information corresponding to each training course is located below.</center> | ||
− | '''Pricing''' | + | '''2-Day Course Pricing''' |
$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH] | $1300 for conference attendees. [Note: This fee includes snacks, and LUNCH] | ||
Line 33: | Line 33: | ||
$675 - Student Pricing | $675 - Student Pricing | ||
+ | |||
+ | '''1-Day Course Pricing''' | ||
+ | |||
+ | $650 for conference attendees. [Note: This fee includes snacks, and LUNCH] | ||
+ | |||
+ | $725 - Tutorial only pricing (if not attending the conference) | ||
+ | |||
+ | $350 - Student Pricing | ||
'''Location''' | '''Location''' | ||
− | At | + | At [http://www.monasterium.be/ Monasterium Poortackere] in Ghent. A couple of 100 meters from the conference location in the historic centre of Ghent. (tbd insert maps) |
+ | |||
'''Course Times''' | '''Course Times''' | ||
Line 43: | Line 52: | ||
'''Registration''' | '''Registration''' | ||
− | Registration is available via the OWASP Conference Cvent site at: | + | Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link] |
− | == T1. Building and Testing Secure Web Applications - 2-Day Course - May 20 | + | == T1. Building and Testing Secure Web Applications - 2-Day Course - May 19-20, 2008 == |
'''Course Overview''' | '''Course Overview''' | ||
Line 93: | Line 102: | ||
'''Registration''' | '''Registration''' | ||
− | Registration is available via the OWASP Conference Cvent site at: | + | Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link] |
'''Tutorial Provider''' | '''Tutorial Provider''' | ||
Line 99: | Line 108: | ||
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] | This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] | ||
− | == T2. | + | == T2. Leading the Development of Secure Applications - 1-Day Course - May 19, 2008 == |
'''Summary''' | '''Summary''' | ||
− | + | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. | |
'''Course Overview''' | '''Course Overview''' | ||
− | + | The following important questions are answered in this course. | |
+ | * Why is application security so important? | ||
+ | * What are the most critical vulnerability areas to focus on and how? | ||
+ | * What security tools and technologies do software projects need? | ||
+ | * How do I establish an application security initiative in my organization? | ||
+ | * How can I enhance my SDLC to include security activities? | ||
+ | * How do I measure my organization’s progress in application security? | ||
+ | * How can I get my developers to care about application security? | ||
+ | * What teams and roles should I create to address application security? | ||
+ | * How do I get a handle on the security of my entire application portfolio? | ||
+ | * What is the most effective way of securing legacy applications? | ||
+ | |||
+ | This is the right course at the right time for any executive who has decided that secure application development is a priority. The analyst community is helping CIOs understand just how critical the problem of insecure programming has become. For example the | ||
+ | |||
+ | Robert Francis Group (a well-known application development analyst group) wrote: | ||
+ | “The lack of application security requirements and associated poor security focus in the development process can cripple business application security leading to significant revenue loss and perhaps liability claims from anyone impacted by this oversight. IT executives should review application development processes and direct development teams to build in security, rather than consider it after the application deployment.” | ||
+ | |||
+ | This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness and live demonstrations of commonly found vulnerabilities in software. | ||
− | |||
+ | '''Audience''' | ||
− | + | The intended audience for this course is: Program Managers, Account Managers, Functional/Resource Application Managers, Technical Program/Project Managers (Chief Engineers), Executives, Directors, and Key/Technical Decision Makers | |
− | |||
'''Registration''' | '''Registration''' | ||
− | Registration is available via the OWASP Conference Cvent site at: | + | Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link] |
'''Tutorial Provider''' | '''Tutorial Provider''' | ||
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] | This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] | ||
− | |||
− | == T3. Building Secure Rich Internet Applications | + | == T3. Building Secure Rich Internet Applications - 1-Day Course - May 20, 2008 == |
'''Summary''' | '''Summary''' | ||
− | + | This one day class will cover common RIA security threats and vulnerabilities and it will provide specific guidance on how to develop RIA to defend against these threats and vulnerabilities. | |
+ | Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure RIA Course is designed to enable developers to use RIA technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by Dave Wichers, Aspect COO, and is delivered in a very interactive manner. | ||
+ | The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how RIA attacks work, the impacts of successful attacks, and what to do to defend against them. | ||
+ | |||
'''Course Overview''' | '''Course Overview''' | ||
− | + | The course begins with an overview and a Web 2.0 introduction. The next section deals with exploring the AJAX and RIA surface attacks, followed by Authentication and Session control sections. Cross Site Request Forgery, Cross Site Scripting and Protecting Sensitive Data, are the next sections which are followed by Error Handling and Logging and References to round out the day. | |
− | |||
− | |||
− | |||
− | |||
− | |||
'''Requirements''' | '''Requirements''' | ||
− | + | If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop. | |
'''Registration''' | '''Registration''' | ||
− | Registration is available via the OWASP Conference Cvent site at: | + | Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link] |
'''Tutorial Provider''' | '''Tutorial Provider''' | ||
Line 151: | Line 173: | ||
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] | This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] | ||
− | == T4. Web Services | + | == T4. Building Secure Web Services - 2-Day Course - May 19-20, 2008 == |
'''Course Overview''' | '''Course Overview''' | ||
− | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. | + | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. Building Secure Web Services introduces the student to all of the commonly used web services and SOA functional and security standards (including web services, XML, HTTP, and SOA standards), and then focuses on presenting effective ways for providing the security characteristics required in each of the core web services security areas. These areas include encryption, authentication, access control, input validation, error handling and logging, etc. |
− | + | '''Details''' | |
− | ''' | + | The course starts with a module on the core functional and security standards involved in web services and an overview of web services security. This is followed by a high level approach for doing threat modeling for web services enabled applications. |
+ | |||
+ | After this introduction, each web services vulnerability area is covered in detail, discussing the common threats and alternate approaches for addressing those threats, including both standards based (where they exist) and best practice based security approaches. This course teaches practical implementation and testing techniques, including the use of hands on testing exercises to discover and exploit web services vulnerabilities as well as hands on solution development exercises for eliminating these vulnerabilities. | ||
+ | |||
+ | The course concludes with coverage on how to establish trust between services, some exercises on applying what we have learned, and then a significant discussion on SOA and its impact on web services security. | ||
+ | |||
+ | The course outline for this course is as follows: | ||
+ | * Introduction to Web Services Security | ||
+ | * Web Services Security Threat Modeling | ||
+ | * How to Secure Web Services Communications and Protect Sensitive Data (e.g., XML Encryption/Signature) | ||
+ | * Managing Authentication and Identity within Web Services (e.g., SAML, WS-Trust, WS-Secure Conversation) | ||
+ | * How to Control Access to Web Services (e.g., SAML, XACML, XML Gateways) | ||
+ | * How to Validate Input and Protect Output in Web Services (e.g., DTDs, XSDs, custom) | ||
+ | * Error Handling, Logging, Accountability, and Monitoring within Web Services | ||
+ | * Providing and Protecting Discovery Services (UDDI) | ||
+ | * Establishing Trust between Services (e.g., WS-Security, SAML, WS-Federation) | ||
+ | * Applying What We’ve Learned | ||
+ | * Service Oriented Architectures (SOA) | ||
+ | |||
+ | '''Hands on Exercises''' | ||
+ | |||
+ | To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. | ||
− | + | '''Requirements''' | |
− | + | If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
'''Registration''' | '''Registration''' | ||
− | Registration is available via the OWASP Conference Cvent site at: | + | Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link] |
'''Tutorial Provider''' | '''Tutorial Provider''' | ||
− | This tutorial is provided by [http://www. | + | This tutorial is provided by [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] |
− | == T5. ModSecurity Boot-Camp Training - 2-Day Course - May 20 | + | == T5. ModSecurity Boot-Camp Training - 2-Day Course - May 19-20, 2008 == |
'''Course Overview''' | '''Course Overview''' | ||
Line 229: | Line 265: | ||
'''Registration''' | '''Registration''' | ||
− | Registration is available via the OWASP Conference Cvent site at: | + | Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link] |
'''Tutorial Provider''' | '''Tutorial Provider''' |
Latest revision as of 13:24, 22 April 2008
- 1 Conference Training - One and Two Day Training Courses - May 19th-20th, 2008
- 2 T1. Building and Testing Secure Web Applications - 2-Day Course - May 19-20, 2008
- 3 T2. Leading the Development of Secure Applications - 1-Day Course - May 19, 2008
- 4 T3. Building Secure Rich Internet Applications - 1-Day Course - May 20, 2008
- 5 T4. Building Secure Web Services - 2-Day Course - May 19-20, 2008
- 6 T5. ModSecurity Boot-Camp Training - 2-Day Course - May 19-20, 2008
Conference Training - One and Two Day Training Courses - May 19th-20th, 2008
OWASP has arranged to have three 2-day and two 1-day Application Security training courses prior to the conference.
The first four courses will be provided by a long time contributor to OWASP, Aspect Security. The fifth course is being provided by frequent OWASP/WASC contributor Breach Security. We are always looking for good training providers, so if you have a great application security course to offer, please let OWASP know you are interested and we'll see if we can work you into to a future conference. The more variety of classes and vendors, the better!
These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.
T1
|
|
---|---|
T2
|
|
T3
|
|
T4
|
|
T5
|
2-Day Course Pricing
$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]
$1450 - Tutorial only pricing (if not attending the conference)
$675 - Student Pricing
1-Day Course Pricing
$650 for conference attendees. [Note: This fee includes snacks, and LUNCH]
$725 - Tutorial only pricing (if not attending the conference)
$350 - Student Pricing
Location
At Monasterium Poortackere in Ghent. A couple of 100 meters from the conference location in the historic centre of Ghent. (tbd insert maps)
Course Times
Each class begins at 9 AM and runs until 5:30 PM each day.
Registration
Registration is available via the OWASP Conference Cvent site at: Cvent link
T1. Building and Testing Secure Web Applications - 2-Day Course - May 19-20, 2008
Course Overview
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.
This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.
Details
This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.
The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following web application security areas (which encompass the entire OWASP Top 10 plus more):
- Authentication and Session Management
- Access Control
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Input Validation
- Protecting Sensitive Data (w/ Crypto)
- Caching, Pooling, and Reuse Errors
- Database Security (Including SQL Injection)
- Error Handling and Logging
- Denial of Service
- Code Quality
- Accessing Services Securely
- Setting Security Policy
- Integrating Security into the SDLC
For each area, the course covers the following:
- Theoretical foundations
- Recommended security policies
- Common pitfalls when implementing
- Details on historical exploits
- Best practices for implementation
Hands on Exercises
To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.
Requirements
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
Registration
Registration is available via the OWASP Conference Cvent site at: Cvent link
Tutorial Provider
This tutorial is provided by longtime OWASP contributor:
T2. Leading the Development of Secure Applications - 1-Day Course - May 19, 2008
Summary
In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle.
Course Overview
The following important questions are answered in this course.
- Why is application security so important?
- What are the most critical vulnerability areas to focus on and how?
- What security tools and technologies do software projects need?
- How do I establish an application security initiative in my organization?
- How can I enhance my SDLC to include security activities?
- How do I measure my organization’s progress in application security?
- How can I get my developers to care about application security?
- What teams and roles should I create to address application security?
- How do I get a handle on the security of my entire application portfolio?
- What is the most effective way of securing legacy applications?
This is the right course at the right time for any executive who has decided that secure application development is a priority. The analyst community is helping CIOs understand just how critical the problem of insecure programming has become. For example the
Robert Francis Group (a well-known application development analyst group) wrote: “The lack of application security requirements and associated poor security focus in the development process can cripple business application security leading to significant revenue loss and perhaps liability claims from anyone impacted by this oversight. IT executives should review application development processes and direct development teams to build in security, rather than consider it after the application deployment.”
This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness and live demonstrations of commonly found vulnerabilities in software.
Audience
The intended audience for this course is: Program Managers, Account Managers, Functional/Resource Application Managers, Technical Program/Project Managers (Chief Engineers), Executives, Directors, and Key/Technical Decision Makers
Registration
Registration is available via the OWASP Conference Cvent site at: Cvent link
Tutorial Provider
This tutorial is provided by longtime OWASP contributor:
T3. Building Secure Rich Internet Applications - 1-Day Course - May 20, 2008
Summary
This one day class will cover common RIA security threats and vulnerabilities and it will provide specific guidance on how to develop RIA to defend against these threats and vulnerabilities. Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure RIA Course is designed to enable developers to use RIA technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by Dave Wichers, Aspect COO, and is delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how RIA attacks work, the impacts of successful attacks, and what to do to defend against them.
Course Overview
The course begins with an overview and a Web 2.0 introduction. The next section deals with exploring the AJAX and RIA surface attacks, followed by Authentication and Session control sections. Cross Site Request Forgery, Cross Site Scripting and Protecting Sensitive Data, are the next sections which are followed by Error Handling and Logging and References to round out the day.
Requirements
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
Registration
Registration is available via the OWASP Conference Cvent site at: Cvent link
Tutorial Provider
This tutorial is provided by longtime OWASP contributor:
T4. Building Secure Web Services - 2-Day Course - May 19-20, 2008
Course Overview
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. Building Secure Web Services introduces the student to all of the commonly used web services and SOA functional and security standards (including web services, XML, HTTP, and SOA standards), and then focuses on presenting effective ways for providing the security characteristics required in each of the core web services security areas. These areas include encryption, authentication, access control, input validation, error handling and logging, etc.
Details
The course starts with a module on the core functional and security standards involved in web services and an overview of web services security. This is followed by a high level approach for doing threat modeling for web services enabled applications.
After this introduction, each web services vulnerability area is covered in detail, discussing the common threats and alternate approaches for addressing those threats, including both standards based (where they exist) and best practice based security approaches. This course teaches practical implementation and testing techniques, including the use of hands on testing exercises to discover and exploit web services vulnerabilities as well as hands on solution development exercises for eliminating these vulnerabilities.
The course concludes with coverage on how to establish trust between services, some exercises on applying what we have learned, and then a significant discussion on SOA and its impact on web services security.
The course outline for this course is as follows:
- Introduction to Web Services Security
- Web Services Security Threat Modeling
- How to Secure Web Services Communications and Protect Sensitive Data (e.g., XML Encryption/Signature)
- Managing Authentication and Identity within Web Services (e.g., SAML, WS-Trust, WS-Secure Conversation)
- How to Control Access to Web Services (e.g., SAML, XACML, XML Gateways)
- How to Validate Input and Protect Output in Web Services (e.g., DTDs, XSDs, custom)
- Error Handling, Logging, Accountability, and Monitoring within Web Services
- Providing and Protecting Discovery Services (UDDI)
- Establishing Trust between Services (e.g., WS-Security, SAML, WS-Federation)
- Applying What We’ve Learned
- Service Oriented Architectures (SOA)
Hands on Exercises
To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.
Requirements
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
Registration
Registration is available via the OWASP Conference Cvent site at: Cvent link
Tutorial Provider
T5. ModSecurity Boot-Camp Training - 2-Day Course - May 19-20, 2008
Course Overview
ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day, boot-camp class is designed for those people who want to quickly learn how to build, deploy, and use ModSecurity in the most effective manner possible. The course will cover topics such as: the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers, and also provides an in-depth look at the extremely powerful ModSecurity Rules Language. Learning how to take advantage of the power behind ModSecurity rules can help web security professionals write and configure highly effective rules to handle complex web vulnerabilities. Hands-on labs with fully documented instructions help students deploy solid, secure ModSecurity installations and understand the inner workings of the premier open source web application firewall available today.
Curriculum
Day 1: Deployment and Management
- Introduction to Web Application Firewalls
- Overview of the Web Application Firewall Evaluation Criteria
- Introduction to ModSecurity
- ModSecurity architecture
- ModSecurity deployment options
- ModSecurity installation
- ModSecurity configuration and operation
- ModSecurity directives and features overview
- ModSecurity rules primer
- ModSecurity tuning
- ModSecurity console deployment and usage
Day 2: Rules Writing Workshop
- Introduction to ModSecurity’s Rule Language
- Anatomy of a ModSecurity rule
- Overview of PCRE
- Variables
- Transformation functions
- Actions
- Using advanced rule syntax with the “chain” action
- Overview of the Core Rule set
- Creating custom rules
- Virtual Patching
- Using initcol and setsid for stateful rules
- Good rule writing practices
- Testing rules
- Tuning rules
- Rule Debugging
- Rule management
Hands on Exercises
Hands-on labs will include installation and use of the ModSecurity Console on day 1, and a unique challenge on day 2 where the participants will have to use ModSecurity to try and mitigate as many vulnerabilities as possible in the OWASP WebGoat application.
Requirements
If you are interested in participating in the hands on portion of the course, please bring a laptop. The class will use a custom VMware image so you will need to have VMware Player, Workstation or Server pre-installed. Additionally, some of the tools we will be using outside of the VMware host will require Java so ensure that you have installed/updated to the latest version.
Registration
Registration is available via the OWASP Conference Cvent site at: Cvent link
Tutorial Provider
This tutorial is provided by Ryan Barnett (ModSecurity Community Manager and Director of Application Security Training at )
- Special Note: Ivan Ristic, ModSecurity Creator and Breach Security Chief Evangelist, will be in attendance to answer questions and also to present on the ModSecurity development roadmap.