7th OWASP AppSec Conference - San Jose 2007/Training

Conference Training Day - Two Day Training Courses - November 12th-13th, 2007
OWASP has arranged to have four 2-day Application Security training courses prior to the conference.

The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

*Note: Information corresponding to each training course is located below.

Pricing

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

Location

At eBay in San Jose. Same location as the conference.

Course Times

Each class begins at 9 AM and runs until 5 PM each day.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007
Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following web application security areas (which encompasses the entire OWASP Top 10 plus more):


 * Authentication and Session Management
 * Access Control
 * Cross-Site Request Forgery (CSRF)
 * Cross-Site Scripting (XSS)
 * Input Validation
 * Protecting Sensitive Data (w/ Crypto)
 * Caching, Pooling, and Reuse Errors
 * Database Security (Including SQL Injection)
 * Error Handling and Logging
 * Denial of Service
 * Code Quality
 * Accessing Services Securely
 * Setting Security Policy
 * Integrating Security into the SDLC

For each area, the course covers the following:


 * Theoretical foundations
 * Recommended security policies
 * Common pitfalls when implementing
 * Details on historical exploits
 * Best practices for implementation

Hands on Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: http://www.owasp.org/images/d/d1/Aspect_logo.gif

T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007
Summary

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:


 * Unvalidated Parameters *
 * Broken Access Control *
 * Broken Account and Session Management *
 * Cross-Site Scripting (XSS) Flaws *
 * Buffer Overflows *
 * Command Injection Flaws *
 * Error Handling Problems *
 * Insecure Use of Cryptography *
 * Denial of Service *
 * Web and Application Server Misconfiguration *
 * Poor Logging Practices
 * Caching, Pooling, and Reuse Errors
 * Code Quality

* The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:


 * Theoretical foundations
 * Recommended security policies
 * Common pitfalls when implementing
 * Details on historical exploits
 * Best practices for implementation

Hands on Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: http://www.owasp.org/images/d/d1/Aspect_logo.gif

T3. Using OWASP in the Enterprise or WADL
Course Overview

Apart from OWASP's Top 10, most OWASP projects (https://www.owasp.org/index.php/Category:OWASP_Project) are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Lifecycle (WADL)

This course aims to change that by providing detailed presentations of the most mature and enterprise ready projects together with practical examples of how to use them.

Curriculum


 * Part 1: OWASP Documentation Projects
 * Part 2: OWASP Tools
 * Part 3: Using OWASP in the Enterprise
 * Part 4: Using OWASP in the WADL (Web Application Development Lifecycle)

Hands on Exercises

The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a laptop.

Registration

Registration is available via the OWASP Conference Cvent site at:

Tutorial Provider

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007
Course Overview

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

Details

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:


 * Web Services attack patterns
 * Common XML attack patterns
 * Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
 * Identity services and federation with SAML and Liberty
 * Hardening Web Services servers
 * Input validation for Web Services
 * Integrating Web Services securely with backend resources and applications using WS-Trust
 * Secure Exception handling in Web Services

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by http://www.owasp.org/images/b/bc/Arctec_logo.jpeg