This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP AppSec Conference Training"

From OWASP
Jump to: navigation, search
(OWASP AppSec 2008 Training Courses - September 22nd - 23rd, 2008)
(T8. Writing Secure Code ASP.NET - Sep 22-23, 2008)
 
(18 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
== OWASP AppSec 2008 Training Courses - September 22nd - 23rd, 2008 ==
 
== OWASP AppSec 2008 Training Courses - September 22nd - 23rd, 2008 ==
  
OWASP has arranged to have five 2-day and two 1-day Application Security training courses following the conference.
+
OWASP has arranged to have five 2-day and two 1-day Application Security training courses following the conference.   
 
 
Three courses will be provided by a long time contributor to OWASP, Aspect Security. One course will be provided by a Pravir Chandra, Project lead of the OWASP Clasp Project. Another course will be presented by the FBI.   
 
  
 
These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.
 
These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.
Line 22: Line 20:
 
|-
 
|-
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T5</div>
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T5</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[:Category:OWASP_AppSec_Conference_Training#T5._Leading_the_Development_of_Secure_Applications_-_1-Day_Course_-_Sep_22-23,_2008 | Leading the Development of Secure Applications - 1-Day]]</div>
+
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[:Category:OWASP_AppSec_Conference_Training#T5._Leading_the_Development_of_Secure_Applications_-_1-Day_Course_-_Sep_22,_2008 | Leading the Development of Secure Applications - 1-Day]]</div>
 
|-
 
|-
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T6</div>
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T6</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[:Category:OWASP_AppSec_Conference_Training#T6._Application_Security_Forensics-_1-Day_Course_-_Sep_22-23,_2008 | Application Security Forensics - 1-Day]]</div>
+
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[:Category:OWASP_AppSec_Conference_Training#T6._Building_Secure_Rich_Internet_Applications_-_1-Day_Course_-_Sep_23,_2008 | Building Secure Rich Internet Applications - 1-Day]]</div>
|-
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T7</div>
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[:Category:OWASP_AppSec_Conference_Training#T7._Encryption_Programming_Using_SKSML-_2-Day_Course_-_Sep_22-23,_2008 | Encryption Programming Using SKSML - 2 Days]]</div>
 
 
|-
 
|-
 +
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T8</div>
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T8</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[:Category:OWASP_AppSec_Conference_Training#T11._Writing Secure Code ASP.NET_-_Sep_22-23,_2008 | Writing Secure Code ASP.NET - 2 Days]]</div>
+
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">[[:Category:OWASP_AppSec_Conference_Training#T8._Writing Secure Code ASP.NET_-_Sep_22-23,_2008 | Writing Secure Code ASP.NET - 2 Days]]</div>
 
|}
 
|}
  
<center>*Note: Information corresponding to each training course is located below.</center>
+
<center>*Note: Information corresponding to each training course is located below or [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif].</center>
  
 
'''Pricing'''
 
'''Pricing'''
  
$675 for 1-Day Training Course
+
$675 for 1-Day Training Course / $1350 for 2-Day Training course
 
 
$1350 for 2-Day Training course
 
 
 
  
 
'''Location'''
 
'''Location'''
  
At Pace University in New York. Same location as the conference.  
+
<u><b>[http://www.parkcentralny.com/location/location.cfm The Park Central Hotel - 870 Seventh Avenue at 56th Street New York, NY 10019-4038.]</b></u>  Same location as the conference.  
  
 
'''Course Times'''
 
'''Course Times'''
  
Each class begins at 9 AM and runs until 5 PM each day.
+
Each class begins at 9 AM and runs until 5:30 PM each day.
 
 
'''Registration'''
 
 
 
Registration is available via the OWASP Conference Cvent site at:
 
  
 
== T1. Defensive Programming - 2-Day Course - Sep 22-23, 2008 ==
 
== T1. Defensive Programming - 2-Day Course - Sep 22-23, 2008 ==
Line 107: Line 96:
 
'''Registration'''
 
'''Registration'''
  
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 Cvent Link]
+
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]
 
 
== T11. Writing Secure Code ASP.NET - Sep 22-23, 2008 ==
 
 
 
'''Course Overview'''
 
 
 
This course will help you understand the key security features of the .NET platform, the common web security pitfalls developers make, and how to build secure and reliable web applications using ASP.NET.
 
 
 
'''Details'''
 
 
 
<br>
 
<b>Day One </b>
 
 
 
Secure Design Principles • Introduction to Hacme Bank • Demonstration • (Hacme Bank Penetration Test): Students observe (and may optionally participate) as the instructor exploits numerous common vulnerabilities in Hacme Bank, an ASP.NET web application that is designed to function as a real-world online bank.
 
 
 
'''.NET Platform Security''' .NET Language Security Features• .NET Common Language Runtime (CLR) Security Mechanisms
 
Code Access Security (CAS)• Strong Name Signing• ASP.NET Security Architecture•
 
 
 
'''Data Protection''' Common Mistakes• .NET System.Cryptography Namespace• .NET Algorithm Recommendations• Data Protection API (DPAPI)• Advanced Cryptographic Features in .NET• Lab • (Data Protection):Encrypt sensitive data with the DPAPI
 
 
 
'''Authentication''' Common Mistakes • ASP.NET Authentication• Impersonation and Delegation• Code Signing (Authenticode) • Windows Card Space•
 
 
 
'''User Management''' Common Mistakes• Password Storage and Quality• Strategies for Password Reset• Account Lockout Schemes• ASP.NET Membership API•
 
 
 
'''Authorization''' Common Mistakes• .NET Authorization Models• ASP.NET Authorization• RoleManager• Session Management• Cross-Site Request Forgery• Lab • (Authorization): Fix privilege escalation vulnerability in Hacme Bank
 
 
 
'''Error Handling and Exception Management''' Common Mistakes• Safe Exception Handling• Error Handling• Event Logging and Audit Trails•
 
 
 
<br>
 
<b>Day Two </b>
 
 
 
'''Data Validation''' Common Mistakes• Data Validation Attacks• Preventing Data Validation Attacks• Regular Expressions• .NET Validation Frameworks & APIs• Canonicalization Issues• Lab • (Data Validation): Implement a variety of validation routines
 
 
 
'''Configuration Management''' Common Mistakes• Securing Sensitive Configuration Data• Securing Communications• Resource Exhaustion and Other Denial of • Service Conditions Application Secure hardening• Secure Build and Deployment• Partial Trust ASP.NET•
 
 
 
'''Logging and Auditing''' Common Mistakes• Logging Best Practices• Data Retention• Popular Logging Frameworks•
 
 
 
'''Software Security Analysis''' Threat Modeling• Secure Code Review Methodology• Automated Code Scanning Tools• Practical Strategies
 
  
 
+
'''Tutorial Provider'''
'''Registration'''
+
Instructor: Jason Rouse, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
 
 
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 Cvent Link]
 
  
 
== T2. Secure Coding for Java EE- 2-Day Course - Sep 22-23, 2008==
 
== T2. Secure Coding for Java EE- 2-Day Course - Sep 22-23, 2008==
Line 208: Line 158:
 
'''Registration'''
 
'''Registration'''
  
Registration is available at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 Cvent Link]
+
Registration is available at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]
  
 
'''Tutorial Provider'''
 
'''Tutorial Provider'''
Line 238: Line 188:
 
'''Registration'''
 
'''Registration'''
  
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 Cvent Link]
+
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]
  
 
'''Tutorial Provider'''
 
'''Tutorial Provider'''
 +
Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
  
 
== T4. Advanced Web Application Security Testing - 2-Day Course - Sep 22-23, 2008 ==
 
== T4. Advanced Web Application Security Testing - 2-Day Course - Sep 22-23, 2008 ==
Line 257: Line 208:
 
'''Registration'''
 
'''Registration'''
  
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 Cvent Link]
+
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]
  
  
Line 300: Line 251:
 
'''Registration'''
 
'''Registration'''
  
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 Cvent Link]
+
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]
  
 
'''Tutorial Provider'''
 
'''Tutorial Provider'''
Line 306: Line 257:
 
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
 
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
  
== T6. Application Security Forensics- 1-Day Course - Sep 23, 2008 ==  
+
'''Tutorial Provider'''
 +
 
 +
== T6. Building Secure Rich Internet Applications - 1-Day Course - Sep 23, 2008 ==
 +
 
 +
'''Summary'''
 +
 
 +
This one day class will cover common RIA security threats and vulnerabilities and it will provide specific guidance on how to develop RIA to defend against these threats and vulnerabilities.
 +
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source.  Aspect’s Building Secure RIA Course is designed to enable developers to use RIA technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.'  The class is lead by Dave Wichers, Aspect COO, and is delivered in a very interactive manner.
 +
The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how RIA attacks work, the impacts of successful attacks, and what to do to defend against them.
 +
 
  
 
'''Course Overview'''
 
'''Course Overview'''
 +
The course begins with an overview and a Web 2.0 introduction. The next section deals with exploring the AJAX and RIA surface attacks, followed by Authentication and Session control sections.  Cross Site Request Forgery, Cross Site Scripting and Protecting Sensitive Data, are the next sections which are followed by Error Handling and Logging and References to round out the day. 
  
How would you respond to a application security hack? This course will provide insight into the world or forensics with a focus on Web Application Security
+
'''Requirements'''
 +
 
 +
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
 +
 
 +
 
 +
'''Tutorial Provider'''
  
'''Registration'''
+
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
 +
 
 +
== T8. Writing Secure Code ASP.NET - Sep 22-23, 2008 ==
  
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 Cvent Link]
+
'''Summary'''
  
 +
This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:
 +
# .NET security overview,
 +
# All coding examples and recommendations are specifically focused on C#.NET and/or VB.NET and IIS servers, and
 +
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class. Both C# and VB.NET versions of the hands on coding labs are available.
  
'''Tutorial Provider'''
+
To make room for this .NET specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.
  
== T7. Encryption Programming Using SKSML- 2-Day Course - Sep 22-23, 2008 ==
+
This course is a compressed version of Aspect's standard 3-day Secure Coding for C#/VB.NET course.
  
 
'''Course Overview'''
 
'''Course Overview'''
  
Application developers are increasingly required to protect sensitive data through encryption. While there are many libraries that can assist with cryptography, there are few to none that focus on encryption key management.
+
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.
  
This class will introduce you to an OASIS standards protocol - Symmetric Key Services Markup Language (SKSML) - and show you how it can be used to securely encrypt sensitive data and manage encryption keys across the enterprise.
+
This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.
  
It is a hands-on course that will teach you the following:
+
'''Details'''
  
* What is key-management?
+
This course starts with a module designed to raise awareness of just how insecure most .NET based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how .NET web applications work from a security perspective.
* What are the components of an Enterprise Key Management
 
* Infrastructure (EKMI) and how do they work with each other?
 
* What is SKSML and why is it important to you?
 
* How does an application use SKSML?
 
* Installing a Symmetric Key Management System (SKMS)
 
* Using the Symmetric Key Client Library (SKCL) to request encryption keys from the SKMS;
 
* Encrypting/Decrypting/Hashing sensitive data;
 
* Using the SKCL to manage key-rotation;
 
* Design options for dealing with ciphertext in database schemas and XML, and their pros and cons;
 
* Performance issues in cryptographic operations and how to address them in your application;
 
* Vulnerabilities in crypto implementations and EKMI's (what are the knowledgeable Security Auditors looking for?);
 
  
The course is targeted towards Java developers - the lab sessions will be in Java. C/C++/Ruby/PHP developers will learn just as much from the class - even if they cannot perform the lab sessions - and adapt the principles learned to their programming environments.
+
The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following .NET web application security areas (which encompass the entire OWASP Top 10 plus more):
  
Active participation in the class requires a laptop that can support the following:
+
* Authentication and Session Management
 +
* Access Control
 +
* Cross-Site Request Forgery (CSRF)
 +
* Cross-Site Scripting (XSS)
 +
* Input Validation
 +
* Protecting Sensitive Data (w/ Crypto)
 +
* Database Security (Including SQL Injection)
 +
* Error Handling and Logging
 +
* Code Quality
 +
 
 +
For each area, the course covers the following:
  
* Windows XP or 2003;
+
* Theoretical foundations
* Fedora 7, 8, RHEL4, RHEL5, OpenSUSE 10.x or SUSE 10.x;
+
* Recommended security policies
* MySQL 5.x;
+
* Common pitfalls when implementing
* JDK 1.5.x;
+
* Details on historical exploits
* Sun Java System Application Server PE 8.2;
+
* Best practices for implementation
* Java Web Services Developer Pack 2.x;
 
* NetBeans 5.5.x;
 
  
The laptop should ideally have at least 2GB of DRAM and at least 10GB of free disk space for the class. Windows users are encouraged to install Cygwin (http://www.cygwin.com/) on their laptop for better debugging/monitoring capabilities during the lab-sessions.
+
'''Hands on Testing Exercises'''
 +
 
 +
To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.
 +
 
 +
'''Hands on Coding Exercises''' (Only in .NET specific version of this class!)
 +
 
 +
For this .NET focused course, students will additionally have the opportunity to find, exploit, and then fix .NET coding vulnerabilities in three different .NET labs using Visual Studio Express.
 +
 
 +
'''Requirements'''
 +
 
 +
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
  
 
'''Registration'''
 
'''Registration'''
  
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 Cvent Link]
+
Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]
  
 
'''Tutorial Provider'''
 
'''Tutorial Provider'''
  
This tutorial is provided by Arshad Noor, CTO, StrongAuth Inc.
+
Instructor: Jerry Hoff: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
__NOTOC__
 

Latest revision as of 15:10, 19 September 2008

OWASP AppSec 2008 Training Courses - September 22nd - 23rd, 2008

OWASP has arranged to have five 2-day and two 1-day Application Security training courses following the conference.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.


T1
T2
T3
T4
T5
T6
T8
*Note: Information corresponding to each training course is located below or Register.gif.

Pricing

$675 for 1-Day Training Course / $1350 for 2-Day Training course

Location

The Park Central Hotel - 870 Seventh Avenue at 56th Street New York, NY 10019-4038. Same location as the conference.

Course Times

Each class begins at 9 AM and runs until 5:30 PM each day.

T1. Defensive Programming - 2-Day Course - Sep 22-23, 2008

Course Overview

This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws.

Details


Day One Understanding the platform, Language design considerations, Memory management features, Browser security model, Handling Input and Output Securely, Interfacing with a database, Understanding the control and data planes, Handling user input, Character representation and encoding, Determinism and Concurrency, Acting on resource properties, Reliable locking schemes, Shared system resources, Session Management, Random numbers and temporary files,
Day Two: Safe Error Handling and Logging, Error/exception handling, Numeric data types, Programmatic checks and assertions, Audit Logging, Debug Code, Information Leakage, Engineering for Security Features, Applying cryptography, Authentication and authorization, Managing application state, Secrets inside code, Using privileged code, Designing hardened interfaces, Software Security in Operations, Network Infrastructure, Configuration of web apps, Application Packaging, Code Signing, Managing Key Material, Reference


Registration

Registration is available via the OWASP Conference Cvent site at: Register.gif

Tutorial Provider Instructor: Jason Rouse, Cigital_OWASP.GIF

T2. Secure Coding for Java EE- 2-Day Course - Sep 22-23, 2008

Summary

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:

  1. Java EE security overview,
  2. All coding examples and recommendations are specifically focused on Java and Java servers, and
  3. 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

To make room for this Java specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most Java EE based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how Java EE web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following Java EE web application security areas (which encompass the entire OWASP Top 10 plus more):

  • Authentication and Session Management
  • Access Control
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Input Validation
  • Protecting Sensitive Data (w/ Crypto)
  • Database Security (Including SQL Injection)
  • Error Handling and Logging
  • Code Quality

For each area, the course covers the following:

  • Theoretical foundations
  • Recommended security policies
  • Common pitfalls when implementing
  • Details on historical exploits
  • Best practices for implementation

Hands on Testing Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Hands on Coding Exercises (Only in Java specific version of this class!)

For this Java focused course, students will additionally have the opportunity to find, exploit, and then fix Java coding vulnerabilities in three different Java labs using Eclipse.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

Registration

Registration is available at: Register.gif

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T3. Web Services and XML Security - 2-Day Course - Sep 22-23, 2008

Course Overview

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

Details

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

  • Web Services attack patterns
  • Common XML attack patterns
  • Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
  • Identity services and federation with SAML and Liberty
  • Hardening Web Services servers
  • Input validation for Web Services
  • Integrating Web Services securely with backend resources and applications using WS-Trust
  • Secure Exception handling in Web Services

Registration

Registration is available via the OWASP Conference Cvent site at: Register.gif

Tutorial Provider Instructor: Gunnar Peterson Arctec.jpg

T4. Advanced Web Application Security Testing - 2-Day Course - Sep 22-23, 2008

Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.

This two day course is designed to teach existing web application developers how to test for security issues. Participants of this course will learn how to scope a security review and prioritize the work, understand the manual and automated tools and techniques available and when to apply them, and learn how to determine the real risk value. In order to achieve these goals, students will assess the OWASP Top Ten security areas within a real world application.

This course will utilize a modified version of the Java Pet Store J2EE web application provided by the Blueprints project. Not only will we identify vulnerabilities introduced into the application, but students will also be asked to identify actual 0-day vulnerabilities existing in the Java Pet Store baseline! Students gain hands-on testing experience with freely available web application security test tools to find and diagnose flaws and learn to identify them in their own projects. The students are then guided through the process of how to create and communicate effective software security flaw descriptions for the flaws they have discovered.

Prerequisites

Students need to be very familiar with common web application security issues including the OWASP Top Ten. As an advanced class, students should already have had some basic experience doing web application security testing. At a minimum, the students should have already gone through and solved most of the web application security lessons in OWASP's WebGoat (www.owasp.org/index.php/OWASP_WebGoat_Project) or have experienced similar testing activities.

Registration

Registration is available via the OWASP Conference Cvent site at: Register.gif


Tutorial Provider

This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T5. Leading the Development of Secure Applications - 1-Day Course - Sep 22, 2008

Summary

In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle.

Course Overview

The following important questions are answered in this course.

  • Why is application security so important?
  • What are the most critical vulnerability areas to focus on and how?
  • What security tools and technologies do software projects need?
  • How do I establish an application security initiative in my organization?
  • How can I enhance my SDLC to include security activities?
  • How do I measure my organization’s progress in application security?
  • How can I get my developers to care about application security?
  • What teams and roles should I create to address application security?
  • How do I get a handle on the security of my entire application portfolio?
  • What is the most effective way of securing legacy applications?

This is the right course at the right time for any executive who has decided that secure application development is a priority. The analyst community is helping CIOs understand just how critical the problem of insecure programming has become. For example the

Robert Francis Group (a well-known application development analyst group) wrote: “The lack of application security requirements and associated poor security focus in the development process can cripple business application security leading to significant revenue loss and perhaps liability claims from anyone impacted by this oversight. IT executives should review application development processes and direct development teams to build in security, rather than consider it after the application deployment.”

This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness and live demonstrations of commonly found vulnerabilities in software.


Audience

The intended audience for this course is: Program Managers, Account Managers, Functional/Resource Application Managers, Technical Program/Project Managers (Chief Engineers), Executives, Directors, and Key/Technical Decision Makers


Registration

Registration is available via the OWASP Conference Cvent site at: Register.gif

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

Tutorial Provider

T6. Building Secure Rich Internet Applications - 1-Day Course - Sep 23, 2008

Summary

This one day class will cover common RIA security threats and vulnerabilities and it will provide specific guidance on how to develop RIA to defend against these threats and vulnerabilities. Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure RIA Course is designed to enable developers to use RIA technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by Dave Wichers, Aspect COO, and is delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how RIA attacks work, the impacts of successful attacks, and what to do to defend against them.


Course Overview The course begins with an overview and a Web 2.0 introduction. The next section deals with exploring the AJAX and RIA surface attacks, followed by Authentication and Session control sections. Cross Site Request Forgery, Cross Site Scripting and Protecting Sensitive Data, are the next sections which are followed by Error Handling and Logging and References to round out the day.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.


Tutorial Provider

This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T8. Writing Secure Code ASP.NET - Sep 22-23, 2008

Summary

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:

  1. .NET security overview,
  2. All coding examples and recommendations are specifically focused on C#.NET and/or VB.NET and IIS servers, and
  3. 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class. Both C# and VB.NET versions of the hands on coding labs are available.

To make room for this .NET specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for C#/VB.NET course.

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most .NET based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how .NET web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following .NET web application security areas (which encompass the entire OWASP Top 10 plus more):

  • Authentication and Session Management
  • Access Control
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Input Validation
  • Protecting Sensitive Data (w/ Crypto)
  • Database Security (Including SQL Injection)
  • Error Handling and Logging
  • Code Quality

For each area, the course covers the following:

  • Theoretical foundations
  • Recommended security policies
  • Common pitfalls when implementing
  • Details on historical exploits
  • Best practices for implementation

Hands on Testing Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Hands on Coding Exercises (Only in .NET specific version of this class!)

For this .NET focused course, students will additionally have the opportunity to find, exploit, and then fix .NET coding vulnerabilities in three different .NET labs using Visual Studio Express.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

Registration

Registration is available via the OWASP Conference Cvent site at: Register.gif

Tutorial Provider

Instructor: Jerry Hoff: Aspect_logo.gif

This category currently contains no pages or media.