This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP EU Summit 2008 Training (Courses to be Approved)"

From OWASP
Jump to: navigation, search
(Course Name)
 
(45 intermediate revisions by 16 users not shown)
Line 1: Line 1:
The courses listed on this page are to be approved by OWASP Board.
+
Upon detail completion and board approval courses will be moved towards the main agenda.
  
  
Line 6: Line 6:
 
'''Instructor'''
 
'''Instructor'''
  
Eoin Keary and Daniel Cuthbert
+
Eoin Keary and Daniel Cuthbert (TBC)
  
 
'''Duration'''
 
'''Duration'''
  
Please enter the text here
+
0.5 day
  
 
'''Summary'''
 
'''Summary'''
  
Please enter the text here.
+
An introduction to secure code review from an OWASP standpoint. Covering how to approach the review, tips and leading practice on how to get the best from a source code review. A look at the OWASP tools that support the code review guide.
  
 
'''Audience'''
 
'''Audience'''
 
+
Anyone that would like to learn more about secure code review.
Please enter the text here.
 
  
 
'''Table of Contents'''
 
'''Table of Contents'''
  
Please enter the text here.
+
TBD
 
 
 
'''Course Specifics'''
 
'''Course Specifics'''
  
Please enter the text here. (i.e. bring your own laptop)
+
TBD
  
 
== Advanced Phishing and Social Engineering Training==
 
== Advanced Phishing and Social Engineering Training==
Line 89: Line 87:
 
Please enter the text here. (i.e. bring your own laptop)
 
Please enter the text here. (i.e. bring your own laptop)
  
== Web server/services hardening using SELinux ==
+
== OWASP ESAPI ==
  
 
'''Instructor'''
 
'''Instructor'''
  
Pavol Luptak
+
Jeff Williams, Aspect Security
  
 
'''Duration'''
 
'''Duration'''
  
1 day
+
1 day.
  
 
'''Summary'''
 
'''Summary'''
 
Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security.
 
 
A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the  ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement  mechanism operates independently of the traditional Linux access control  mechanisms. It has no concept of a "root" super-user, and does not share the  well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).
 
 
This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.
 
 
'''Audience'''
 
  
 
Please enter the text here.
 
Please enter the text here.
 
'''Table of Contents'''
 
 
1. SELinux history
 
 
2. Unix/Linux DAC (Discretionary Access Control) and its problems
 
 
3. MAC (Mandatory Access Control)
 
 
4. Advantages of using MAC
 
 
5. DTE (Domain Type Enforcement) model
 
 
6. RBAC (Roles Based Access Control) model
 
 
7. MLS (Multi Level Security) model
 
 
8. SELinux FLASK Architecture
 
 
9. SELinux policy (EXERCISE)
 
 
10. File System Security Contexts (EXERCISE)
 
 
11. SELinux Object Classes and Permissions
 
 
12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)
 
 
13. Understanding AVC, log messages
 
 
14. audit2allow and audit2why (EXERCISE)
 
 
15. SELinux Troubleshoot Tool (EXERCISE)
 
 
16. Auditing and Auditing tools
 
 
17. Policy Macros
 
 
18. Backtracking rule (EXERCISE)
 
 
19. SELinux Users, Roles, MLS Levels
 
 
20. Strict Policy
 
 
21. Targeted Policy
 
 
22. SELinux Booleans and their use for Apache web server (EXERCISE)
 
 
23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)
 
 
24. Analyzing Example Policy - apache.te (EXERCISE)
 
 
25. Assigning Object and Process Types
 
 
26. SELinux Booting
 
 
27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)
 
 
28. Policy core utilities
 
 
29. Managing File Labeling, Relabeling a File System (EXERCISE)
 
 
30. SELinux Administrator GUI (EXERCISE)
 
 
31. SELinux Modules (EXERCISE)
 
 
32. Hardening existing LAMP environments using SELinux (EXERCISE)
 
 
33. Writing New Policy for a Daemon (EXERCISE for clever students)
 
 
'''Course Specifics'''
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
== Java Secure Programming==
 
 
'''Instructor'''
 
 
Lucas Ferreira
 
 
'''Duration'''
 
 
Please enter the text here.
 
 
'''Summary'''
 
 
 
This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with exemples in Java). Some tools that may be used to verify the security of Java code and systems will be demonstrated.
 
 
The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including inputa data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.
 
  
 
'''Audience'''
 
'''Audience'''
Line 212: Line 113:
 
Please enter the text here. (i.e. bring your own laptop)
 
Please enter the text here. (i.e. bring your own laptop)
  
== Advanced Web Application Penetration Testing ==
+
== Web Services and SOA Security ==
  
 
'''Instructor'''
 
'''Instructor'''
  
Aspect Security
+
Dave Wichers, Aspect Security
  
 
'''Duration'''
 
'''Duration'''
  
Please enter the text here.
+
2 days
  
 
'''Summary'''
 
'''Summary'''
Line 238: Line 139:
 
Please enter the text here. (i.e. bring your own laptop)
 
Please enter the text here. (i.e. bring your own laptop)
  
== Leading, Planning, and Executing an Application Security Initiative==
+
== Advanced Web Application Security Testing ==
  
 
'''Instructor'''
 
'''Instructor'''
  
Aspect Security
+
Michael Coates, Aspect Security
  
 
'''Duration'''
 
'''Duration'''
  
Please enter the text here.
+
2 days
  
 
'''Summary'''
 
'''Summary'''
Line 264: Line 165:
 
Please enter the text here. (i.e. bring your own laptop)
 
Please enter the text here. (i.e. bring your own laptop)
  
== Foundations of Web Application Security==
 
 
'''Instructor'''
 
  
Aspect Security
+
== AJAX Security ==
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Secure Coding .NET Web Applications==
 
 
 
'''Instructor'''
 
 
 
Aspect Security
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
  
 
'''Instructor'''
 
'''Instructor'''
  
Please enter the text here.
+
Brad Causey
  
 
'''Duration'''
 
'''Duration'''
  
Please enter the text here.
+
1 Day
  
 
'''Summary'''
 
'''Summary'''
  
Please enter the text here.
+
This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.
  
 
'''Audience'''
 
'''Audience'''
  
Please enter the text here.
+
Web Application Security Professionals
  
 
'''Table of Contents'''
 
'''Table of Contents'''
  
Please enter the text here.
+
* Introduction to AJAX
 +
* Security Issues with architecture
 +
* Toolkits
 +
* Toolkit Security Concerns
 +
* Bridges and Issues
 +
* Attacking AJAX
 +
* Defending AJAX
 +
* Securing the Code
 +
* Best Practices
 +
* Other Issues and Concerns
 +
* Q and A
  
'''Course Specifics'''
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
== Course Name==
 
 
'''Instructor'''
 
 
Please enter the text here.
 
 
'''Duration'''
 
 
Please enter the text here.
 
 
'''Summary'''
 
 
Please enter the text here.
 
 
'''Audience'''
 
 
Please enter the text here.
 
 
'''Table of Contents'''
 
 
Please enter the text here.
 
  
 
'''Course Specifics'''
 
'''Course Specifics'''
  
Please enter the text here. (i.e. bring your own laptop)
+
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
 
 
== Course Name==
 
 
 
'''Instructor'''
 
 
 
Please enter the text here.
 
 
 
'''Duration'''
 
 
 
Please enter the text here.
 
 
 
'''Summary'''
 
 
 
Please enter the text here.
 
 
 
'''Audience'''
 
 
 
Please enter the text here.
 
 
 
'''Table of Contents'''
 
 
 
Please enter the text here.
 
 
 
'''Course Specifics'''
 
 
 
Please enter the text here. (i.e. bring your own laptop)
 
  
== Course Name==
+
== Course Name {template} ==
  
 
'''Instructor'''
 
'''Instructor'''

Latest revision as of 20:15, 13 October 2008

Upon detail completion and board approval courses will be moved towards the main agenda.


Source Code Review

Instructor

Eoin Keary and Daniel Cuthbert (TBC)

Duration

0.5 day

Summary

An introduction to secure code review from an OWASP standpoint. Covering how to approach the review, tips and leading practice on how to get the best from a source code review. A look at the OWASP tools that support the code review guide.

Audience Anyone that would like to learn more about secure code review.

Table of Contents

TBD Course Specifics

TBD

Advanced Phishing and Social Engineering Training

Instructor

Joshua Perrymon

Duration

1 day

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

This class is designed to illustrate hands-on methods used in the real world attacking the human layer. This includes a focus on spear-phishing using the newly introduced OWASP phishing framework (LUNKER). Attendees will identify target emails using a variety of methods, identify potential phish sites, create a spoofed email and send the attack all in a locally ran test environment in Vmware or LiveCD.

Upon completion of this course, attendees will have an in-depth understanding of the latest techniques used to perform these type of attacks. The class will also include additional social engineering attack methods such as impersonation, authority attacks, pre-text attacks, and much more. Advanced topics such as Email Payloads and 2nd Factor token MITM attacks will be covered as well.

1. Introduction to Social Engineering

2. Understanding the Human Aspect of Security

3. Review of aggressively vertical hacking methodology

4. Analysis of attack trending over the years (Up the OSI Model)

5. Review of public Social Engineering Attacks in the media

6. Hands on: Spear Phishing Demo using the Lunker Framework 

    a. Understanding the Social Engineering Scope of work
    b. Setup Client Info
    c. Gather Email addresses/targets
    d. Identify potential phishing sites
    e. Creation of spoofed emails
        i. Custom footers
        ii. Attack Scenarios
        iii. Email header options

f. Test Environment: Review the spoofed email and phishing site

g. Send attack

h. Monitor: Discuss steps to take at this point once the users send in credentials.

i. Advanced Phishing Attacks: Recon, XSS/CSRF/Browser Exploit/Trojan payloads

j. MITM Attacks on 2-factor Authentication

k. Summary


Course Specifics

Please enter the text here. (i.e. bring your own laptop)

OWASP ESAPI

Instructor

Jeff Williams, Aspect Security

Duration

1 day.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Web Services and SOA Security

Instructor

Dave Wichers, Aspect Security

Duration

2 days

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Advanced Web Application Security Testing

Instructor

Michael Coates, Aspect Security

Duration

2 days

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)


AJAX Security

Instructor

Brad Causey

Duration

1 Day

Summary

This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.

Audience

Web Application Security Professionals

Table of Contents

  • Introduction to AJAX
  • Security Issues with architecture
  • Toolkits
  • Toolkit Security Concerns
  • Bridges and Issues
  • Attacking AJAX
  • Defending AJAX
  • Securing the Code
  • Best Practices
  • Other Issues and Concerns
  • Q and A


Course Specifics

Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.

Course Name {template}

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_EU_Summit_2008_Training_(Courses_to_be_Approved)&oldid=43193"