Difference between revisions of "AppSecAsiaPac2012/Training"

Training Available

2 Day Course - Assessing & Exploiting Web Applications with Samurai-WTF (Justin Searle)

Course Details & Instructor Bio

Come take the official two-day Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the end-to-end process of testing and exploiting several different web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. Primary emphasis of these instructor lead exercises is how to integrate these tools into your own manual testing procedures to improve your overall workflow. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

2 Day Course - Mobile Penetration Testing: Start to Finish for iOS apps (Jason Haddix)

Mobile apps are the new horizon for penetration testing and assessment. This class will go from start to finish on how to:

• Overview of Iphone platform
• Overview of 3rd Party application Threat Models
• Overview of Xcode and Obj-C
• Setup a mobile Penetration Testing lab/environment
• Performing Blackbox Assessments
• Performing Whitebox Assessment
• Finding Common Client/Phone Vulnerabilities
• Finding Common Server-side Vulnerabilities
• Tips and Tricks

This training is good for both new and seasoned mobile app security consultants.

Note: Students will need developer Apple licence, Xcode, Laptop

Jason Haddix is the Director of Penetration Testing at HP and develops and trains internal candidates on the mobile penetration testing team. He also has done several training for web application hacking and network penetration testing.

2 Day Course - Hands on Web Application Testing: Assessing Web Apps the OWASP way (Matt Tesauro)

The goal of the training session is to teach students how to identify, test, and exploit web application vulnerabilities. The creator and project lead of the OWASP Live CD, now recoined OWASP WTE, will be the instructor for this course and WTE will be a major component of the class. Through lecture, demonstrations, and hands on labs, the session will cover the critical areas of web application security testing using the OWASP Testing Guide v3 as the framework and a custom version of OWASP WTE as the platform. Students will be introduced to a number of open source web security testing tools and provided with hands on labs to sharpen their skills and reinforce what they’ve learned. Students will also receive a complementary DVD containing the custom WTE training lab, a copy of the OWASP Testing Guide, handouts and cheat-sheets to use while testing plus several additional OWASP references. Demonstrations and labs will cover both common and esoteric web vulnerabilities and includes topics such as Cross-Site Scripting (XSS), SQL injection, CSRF and Ajax vulnerabilities. Students are encouraged to continue to use and share the custom WTE lab after the class to further hone their testing skills.

The training will include labs so laptops will be required by the attendees. A custom version of OWASP WTE will be provided to each student which will contain all the necessary tools and applications to test. Strictly speaking, Internet access and/or wireless won't be required since each laptop will be self-sufficient. However, Internet access may be useful for expounding on class discussion. The custom WTE lab environment will run on Windows, Mac OS X and Linux. A recent laptop with sufficient disk space and RAM to run a virtual machine will be required to run the labs. Both VMware and VirtualBox are supported.

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he's focused on application security risk assessments at Praetorian. Outside work, he is the project lead for the OWASP Live CD / WTE, a member of the OWASP Foundation board, and part of the Austin OWASP chapter leadership. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

1 Day Course - Mobile Applications & Security (Prashant Verma)

1 Day Course - Hidden Risks, Costs and Responsibility in the Cloud - Is that a Wizard Behind that Virtual Curtain? (Larry Timmins)

1 Day Course - OWASP for CISO and Senior Managers (Tobias Gondrom)

1 Day Course - Building Secure Web Applications (Klaus Johannes Rusch)

1 Day Course - Defensive Coding using Microsoft .net (Sandeep Nain)

If hacking is an art in your eyes then 'defensive coding' is a rare art known only to the masters. This is your chance to learn this rare art to give the hackers and pen-testers a run for their money.

In this one day hands on training, the attendees will learn to write code that can proactively identify the hacking attempts and take precautionary measures. These measures could be just blocking the attacks, tracking the attacker or alluring them using honey pots.

The course will begin with a short introduction to the concept of defensive coding and to the hacking techniques followed with a deep dive into defensive coding techniques. On a high level, the course covers:

1. Need for Defensive Coding
2. Principles of secure design and defensive coding
3. Common vulnerabilities and mitigation techniques
4. Understanding and using security features available within MS.NET
5. Building attack prevention controls using MS.Net

Sandeep Nain is an accomplished application security professional with an IT career spanning over 10 years. During this time he has worked alongside many high-profile national and international enterprises worldwide enabling them to produce secure software.

Over the years, Sandeep has trained hundreds of developers and architects in defensive coding techniques and secure application design principles.