AppSec Seattle 2006/Training

Conference Training Day - One Day Training Courses - October 16th, 2006
OWASP has arranged to have two one day Application Security training courses the day prior to the conference.

The first course will be provided by a long time contributor to OWASP, Aspect Security. The second course will be provided by another active OWASP member, the Arctec Group. Both of these courses were offered at the OWASP Europe 2006 conference and were well received. These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

*Note: Information corresponding to each training course is located below.

Pricing

$675 [Note: This fee includes breakfast pastries, snacks, and LUNCH]

Location

Bell Harbor International Conference Center

Course Times

Each class begins at 8:30 AM and runs until 5 PM.

Registration

TBD

T1. Foundations of Web Application Security - One Day Course - October 16th, 2006
Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:


 * Unvalidated Parameters *
 * Broken Access Control *
 * Broken Account and Session Management *
 * Cross-Site Scripting (XSS) Flaws *
 * Buffer Overflows *
 * Command Injection Flaws *
 * Error Handling Problems *
 * Insecure Use of Cryptography *
 * Denial of Service *
 * Web and Application Server Misconfiguration *
 * Poor Logging Practices
 * Caching, Pooling, and Reuse Errors
 * Code Quality

* The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:


 * Theoretical foundations
 * Recommended security policies
 * Common pitfalls when implementing
 * Details on historical exploits
 * Best practices for implementation

Hands on Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

Registration

TBD

T2. Web Services and XML Security - One Day Course - October 16th, 2006
Course Overview

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

Details

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:


 * Web Services attack patterns
 * Common XML attack patterns
 * Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
 * Identity services and federation with SAML and Liberty
 * Hardening Web Services servers
 * Input validation for Web Services
 * Integrating Web Services securely with backend resources and applications using WS-Trust
 * Secure Exception handling in Web Services

Registration

TBD

T3. .NET Security - One Day Course - October 16th, 2006
Course Overview

In this one day course you will push Asp.Net to the limit and will be shown how Asp .NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .Net Framework. You will also learn advanced defense techniques such as: Building an Asp .NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .Net Framework or the CLR."

Details

The Course is made of 2 modules (one in the morning and one in the afternoon)

Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting Asp.Net Applications


 * Analysis of the .Net Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
 * Using quick-and-dirty threat models to discover vulnerabilities in the target application
 * Exploiting vulnerabilities in Asp.Net applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
 * Exploiting Buffer Overflows and Windows vulnerabilities via Asp.Net Applications

Module 2: Exploiting Full Trust and Partial Trust Asp.Net Environments; Advanced Asp.Net Countermeasures


 * Practical demonstrations of the power of Full Trust Asp.Net:
 * Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
 * Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
 * Exploiting Insecure Partial Trust Asp.Net Environments
 * Applying real-time security patches in the target application, .Net Framework and CLR
 * Solutions to create secure Data Validation and Authorization architectures
 * Creating secure Asp.Net hosting environments
 * Building an Asp.Net Security Protection layer (also called web Application Firewall);

You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

Requirements

A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

Prerequisites

This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:


 * Have a good understanding of a .NET Language (Ideally C#)
 * Be familiar with MSIL/Assembly
 * Have some experience with debugging user-land applications
 * Have commercial experience on either application development or security auditing.

The material is presented at a pace adjusted for experienced developers and/or security consultants.

Trainer

Dinis Cruz is the current Owasp .Net Project leader and the main developer of several of OWASP .Net tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

Dinis is also is a Senior IOActive Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development.

Since the 1.1 release of the .Net Framework, Dinis has been one of the strongest proponents of the need to write .Net applications that can be executed in secure Partially Trusted .Net environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

Registration

TBD