OWASP AppSec Europe 2008 - Belgium/Training

Conference Training Day - Two Day Training Courses - May 20th-21st, 2008
OWASP has arranged to have tbd 2-day Application Security training courses prior to the conference.

(tbd) The first three courses will be provided by a long time contributor to OWASP, Aspect Security. The fourth course will be provided by another active OWASP member, the Arctec Group. The fifth course is being provided by Dinis Cruz, the OWASP Chief Evangelist. The sixth course is being presented by frequent OWASP/WASC contributor Breach Security.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

*Note: Information corresponding to each training course is located below.

Pricing

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

Location

At tbd in Belgium. Same location as the conference. (tbd insert maps) Course Times

Each class begins at 9 AM and runs until 5:30 PM each day.

Registration

Registration is available via the OWASP Conference Cvent site at: (tbd insert cevent)

T1. Building and Testing Secure Web Applications - 2-Day Course - May 20-21, 2008
Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following web application security areas (which encompass the entire OWASP Top 10 plus more):


 * Authentication and Session Management
 * Access Control
 * Cross-Site Request Forgery (CSRF)
 * Cross-Site Scripting (XSS)
 * Input Validation
 * Protecting Sensitive Data (w/ Crypto)
 * Caching, Pooling, and Reuse Errors
 * Database Security (Including SQL Injection)
 * Error Handling and Logging
 * Denial of Service
 * Code Quality
 * Accessing Services Securely
 * Setting Security Policy
 * Integrating Security into the SDLC

For each area, the course covers the following:


 * Theoretical foundations
 * Recommended security policies
 * Common pitfalls when implementing
 * Details on historical exploits
 * Best practices for implementation

Hands on Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

Registration

Registration is available via the OWASP Conference Cvent site at: (tbd insert cevent)

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: http://www.owasp.org/images/d/d1/Aspect_logo.gif

T2. Leader-Management training (tbd - Dave) - 1-Day Course - May 20, 2008
Summary

tbd

Course Overview

tbd

Details

Requirements

tbd

Registration

Registration is available via the OWASP Conference Cvent site at: (tbd insert cevent)

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: http://www.owasp.org/images/d/d1/Aspect_logo.gif

T3. Building Secure Rich Internet Applications (tbd Dave)- 1-Day Course - May 21, 2008
Summary

tbd: Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This one day training addresses the special issues that arise in this type of application development.

Course Overview tbd

Details

tbd

Requirements

tbd

Registration

Registration is available via the OWASP Conference Cvent site at: (tbd insert cevent)

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: http://www.owasp.org/images/d/d1/Aspect_logo.gif

T4. Web Services and XML Security - 2-Day Course - May 20-21, 2008 (to be confirmed)
Course Overview

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

Details

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:


 * Web Services attack patterns
 * Common XML attack patterns
 * Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
 * Identity services and federation with SAML and Liberty
 * Hardening Web Services servers
 * Input validation for Web Services
 * Integrating Web Services securely with backend resources and applications using WS-Trust
 * Secure Exception handling in Web Services

Registration

Registration is available via the OWASP Conference Cvent site at: (tbd insert cevent)

Tutorial Provider

This tutorial is provided by http://www.owasp.org/images/b/bc/Arctec_logo.jpeg

T5. ModSecurity Boot-Camp Training - 2-Day Course - May 20-21, 2008
Course Overview

ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day, boot-camp class is designed for those people who want to quickly learn how to build, deploy, and use ModSecurity in the most effective manner possible. The course will cover topics such as: the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers, and also provides an in-depth look at the extremely powerful ModSecurity Rules Language. Learning how to take advantage of the power behind ModSecurity rules can help web security professionals write and configure highly effective rules to handle complex web vulnerabilities. Hands-on labs with fully documented instructions help students deploy solid, secure ModSecurity installations and understand the inner workings of the premier open source web application firewall available today.

Curriculum

Day 1: Deployment and Management
 * Introduction to Web Application Firewalls
 * Overview of the Web Application Firewall Evaluation Criteria
 * Introduction to ModSecurity
 * ModSecurity architecture
 * ModSecurity deployment options
 * ModSecurity installation
 * ModSecurity configuration and operation
 * ModSecurity directives and features overview
 * ModSecurity rules primer
 * ModSecurity tuning
 * ModSecurity console deployment and usage

Day 2: Rules Writing Workshop
 * Introduction to ModSecurity’s Rule Language
 * Anatomy of a ModSecurity rule
 * Overview of PCRE
 * Variables
 * Transformation functions
 * Actions
 * Using advanced rule syntax with the “chain” action
 * Overview of the Core Rule set
 * Creating custom rules
 * Virtual Patching
 * Using initcol and setsid for stateful rules
 * Good rule writing practices
 * Testing rules
 * Tuning rules
 * Rule Debugging
 * Rule management

Hands on Exercises

Hands-on labs will include installation and use of the ModSecurity Console on day 1, and a unique challenge on day 2 where the participants will have to use ModSecurity to try and mitigate as many vulnerabilities as possible in the OWASP WebGoat application.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a laptop. The class will use a custom VMware image so you will need to have VMware Player, Workstation or Server pre-installed. Additionally, some of the tools we will be using outside of the VMware host will require Java so ensure that you have installed/updated to the latest version.

Registration

Registration is available via the OWASP Conference Cvent site at: (tbd insert cevent)

Tutorial Provider

This tutorial is provided by Ryan Barnett (ModSecurity Community Manager and Director of Application Security Training at http://www.owasp.org/images/9/9c/Breach_logo.gif)


 * Special Note: Ivan Ristic, ModSecurity Creator and Breach Security Chief Evangelist, will be in attendance to answer questions and also to present on the ModSecurity development roadmap.