Difference between revisions of "7th OWASP AppSec Conference - San Jose 2007/Training"

From OWASP
Jump to: navigation, search
(Conference Training Day - Two Day Training Courses - November 12th-13th, 2007)
m (Conference Training Day - Two Day Training Courses - November 12th-13th, 2007)
 
(30 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==
 
== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==
  
OWASP has arranged to have four 2-day Application Security training courses prior to the conference.
+
OWASP has arranged to have six 2-day Application Security training courses prior to the conference.
  
The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The third course is being taught by Dinis Cruz, the OWASP Evangelist and one of the longest active members at OWASP. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.
+
The first three courses will be provided by a long time contributor to OWASP, Aspect Security. The fourth course will be provided by another active OWASP member, the Arctec Group. The fifth course is being provided by Dinis Cruz, the OWASP Chief Evangelist. The sixth course is being presented by frequent OWASP/WASC contributor Breach Security. Most of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.
  
 
These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.
 
These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.
Line 9: Line 9:
 
{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
 
{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007</div>
+
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications</div>
 
|-
 
|-
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007</div>
+
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE</div>
 +
|-
 +
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
 +
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding .NET Web Applications</div>
 
|-
 
|-
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
 
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security - 2-Day Course - Nov 12-13, 2007</div>
+
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security</div>
 +
|-
 +
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T5</div>
 +
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Leveraging OWASP Tools and Documents to Secure Your Enterprise</div>
 +
|-
 +
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T6</div>
 +
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">ModSecurity Boot-Camp Training</div>
 
|}
 
|}
  
Line 30: Line 39:
 
'''Location'''
 
'''Location'''
  
At eBay in San Jose. Same location as the conference.
+
At eBay in San Jose. Same location as the conference. [http://maps.google.com/maps?f=q&hl=en&geocode=&time=&date=&ttype=&q=2211+North+First+Street++San+Jose,+CA&sll=37.35288,-121.9047&sspn=0.201136,0.304184&ie=UTF8&t=h&z=17&om=1 Click Here for Map] [http://maps.google.com/maps?f=d&hl=en&geocode=&time=&date=&ttype=&saddr=san+jose+airport&daddr=2211+North+First+Street++San+Jose,+CA&sll=37.377249,-121.921354&sspn=0.006283,0.009506&ie=UTF8&z=15&om=1 From San Jose Airport] [http://maps.google.com/maps?f=d&hl=en&geocode=&time=&date=&ttype=&saddr=San+Francisco+airport&daddr=2211+North+First+Street++San+Jose,+CA&sll=37.36999,-121.92282&sspn=0.025136,0.038023&ie=UTF8&z=11&om=1 From San Francisco Airport]
  
 
'''Course Times'''
 
'''Course Times'''
  
Each class begins at 9 AM and runs until 5 PM each day.
+
Each class begins at 9 AM and runs until 5:30 PM each day.
  
 
'''Registration'''
 
'''Registration'''
Line 44: Line 53:
 
'''Course Overview'''
 
'''Course Overview'''
  
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.
+
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.
  
 
This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.
 
This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.
Line 52: Line 61:
 
This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.
 
This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.
  
The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:
+
The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following web application security areas (which encompass the entire OWASP Top 10 plus more):  
  
* Unvalidated Parameters *
+
* Authentication and Session Management
* Broken Access Control *
+
* Access Control
* Broken Account and Session Management *
+
* Cross-Site Request Forgery (CSRF)
* Cross-Site Scripting (XSS) Flaws *
+
* Cross-Site Scripting (XSS)
* Buffer Overflows *
+
* Input Validation
* Command Injection Flaws *
+
* Protecting Sensitive Data (w/ Crypto)
* Error Handling Problems *
+
* Caching, Pooling, and Reuse Errors
* Insecure Use of Cryptography *
+
* Database Security (Including SQL Injection)
* Denial of Service *
+
* Error Handling and Logging
* Web and Application Server Misconfiguration *
+
* Denial of Service
* Poor Logging Practices
+
* Caching, Pooling, and Reuse Errors
+
 
* Code Quality
 
* Code Quality
 +
* Accessing Services Securely
 +
* Setting Security Policy
 +
* Integrating Security into the SDLC
  
<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities
 
  
 
For each area, the course covers the following:
 
For each area, the course covers the following:
Line 84: Line 93:
 
'''Requirements'''
 
'''Requirements'''
  
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.
+
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
  
 
'''Registration'''
 
'''Registration'''
Line 98: Line 107:
 
'''Summary'''
 
'''Summary'''
  
This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.
+
This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
 +
# Java EE security overview,
 +
# All coding examples and recommendations are specifically focused on Java and Java servers, and
 +
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.
 +
 
 +
To make room for this Java specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.
  
 
This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.
 
This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.
Line 104: Line 118:
 
'''Course Overview'''
 
'''Course Overview'''
  
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.
+
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.
  
This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.
+
This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.
  
 
'''Details'''
 
'''Details'''
  
This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.
+
This course starts with a module designed to raise awareness of just how insecure most Java EE based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how Java EE web applications work from a security perspective.
  
The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:
+
The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following Java EE web application security areas (which encompass the entire OWASP Top 10 plus more):  
  
* Unvalidated Parameters *
+
* Authentication and Session Management
* Broken Access Control *
+
* Access Control
* Broken Account and Session Management *
+
* Cross-Site Request Forgery (CSRF)
* Cross-Site Scripting (XSS) Flaws *
+
* Cross-Site Scripting (XSS)
* Buffer Overflows *
+
* Input Validation
* Command Injection Flaws *
+
* Protecting Sensitive Data (w/ Crypto)
* Error Handling Problems *
+
* Database Security (Including SQL Injection)
* Insecure Use of Cryptography *
+
* Error Handling and Logging
* Denial of Service *
+
* Web and Application Server Misconfiguration *
+
* Poor Logging Practices
+
* Caching, Pooling, and Reuse Errors
+
 
* Code Quality
 
* Code Quality
 
<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities
 
  
 
For each area, the course covers the following:
 
For each area, the course covers the following:
Line 138: Line 146:
 
* Best practices for implementation
 
* Best practices for implementation
  
'''Hands on Exercises'''
+
'''Hands on Testing Exercises'''
  
 
To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.
 
To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.
  
For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.
+
'''Hands on Coding Exercises''' (Only in Java specific version of this class!)
 +
 
 +
For this Java focused course, students will additionally have the opportunity to find, exploit, and then fix Java coding vulnerabilities in three different Java labs using Eclipse.
  
 
'''Requirements'''
 
'''Requirements'''
  
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.
+
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
  
 
'''Registration'''
 
'''Registration'''
Line 156: Line 166:
 
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
 
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
  
== T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 ==
+
== T3. Secure Coding .NET Web Applications - 2-Day Course - Nov 12-13, 2007 ==
  
'''Course Overview'''
+
'''Summary'''
  
In this two day course you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .NET Framework. You will also learn advanced defense techniques such as: Building an ASP.NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .NET Framework or the CLR.
+
This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:
 +
# .NET Framework security overview,
 +
# All coding examples and recommendations are specifically focused on .NET, and
 +
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class.
  
'''Details'''
+
This class covers, and includes examples from, both C# and ASP.NET.
  
The Course is made of 2 modules
+
To make room for this .NET specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.
  
'''Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting ASP.NET Applications'''
+
This course is a compressed version of Aspect's standard 3-day Secure Coding for .NET course.
  
* Analysis of the .NET Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
+
'''Course Overview'''
* Using quick-and-dirty threat models to discover vulnerabilities in the target application
+
* Exploiting vulnerabilities in ASP.NET applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
+
* Exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications
+
  
'''Module 2: Exploiting Full Trust and Partial Trust ASP.NET Environments; Advanced ASP.NET Countermeasures'''
+
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.
  
* Practical demonstrations of the power of Full Trust ASP.NET:
+
This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.
* Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
+
* Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
+
* Exploiting Insecure Partial Trust ASP.NET Environments
+
* Applying real-time security patches in the target application, .NET Framework and CLR
+
* Solutions to create secure Data Validation and Authorization architectures
+
* Creating secure ASP.NET hosting environments
+
* Building an ASP.NET Security Protection layer (also called Web Application Firewall);
+
  
You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.
+
'''Details'''
  
'''Requirements'''
+
This course starts with a module designed to raise awareness of just how insecure most .NET based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how .NET web applications work from a security perspective.
  
A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.
+
The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following .NET web application security areas (which encompass the entire OWASP Top 10 plus more):
  
'''Prerequisites'''
+
* Authentication and Session Management
 +
* Access Control
 +
* Cross-Site Request Forgery (CSRF)
 +
* Cross-Site Scripting (XSS)
 +
* Input Validation
 +
* Protecting Sensitive Data (w/ Crypto)
 +
* Database Security (Including SQL Injection)
 +
* Error Handling and Logging
 +
* Code Quality
  
This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.
+
For each area, the course covers the following:
  
To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:
+
* Theoretical foundations
 +
* Recommended security policies
 +
* Common pitfalls when implementing
 +
* Details on historical exploits
 +
* Best practices for implementation
  
* Have a good understanding of a .NET Language (Ideally C#)
+
'''Hands on Testing Exercises'''
* Be familiar with MSIL/Assembly
+
* Have some experience with debugging user-land applications
+
* Have commercial experience on either application development or security auditing.
+
  
The material is presented at a pace adjusted for experienced developers and/or security consultants.
+
To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.
  
'''Trainer'''
+
'''Hands on Coding Exercises''' (Only in .NET specific version of this class!)
  
Dinis Cruz is the OWASP Evangelist, current OWASP .NET Project leader and the main developer of several of OWASP .NET tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).
+
For this .NET focused course, students will additionally have the opportunity to find, exploit, and then fix .NET coding vulnerabilities in three different .NET labs using Visual Studio.
  
Since the 1.1 release of the .NET Framework, Dinis has been one of the strongest proponents of the need to write .NET applications that can be executed in secure Partially Trusted .NET environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust ASP.NET Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.
+
'''Requirements'''
 +
 
 +
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
  
 
'''Registration'''
 
'''Registration'''
Line 215: Line 229:
 
'''Tutorial Provider'''
 
'''Tutorial Provider'''
  
This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)
+
This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
  
 
== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==
 
== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==
Line 245: Line 259:
  
 
This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]
 
This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]
 +
 +
== T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise - 2-Day Course - Nov 12-13, 2007 ==
 +
 +
'''Course Overview'''
 +
 +
Apart from OWASP's Top 10, most OWASP projects (https://www.owasp.org/index.php/Category:OWASP_Project) are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Lifecycle (WADL)
 +
 +
This course aims to change that by providing detailed presentations of the most mature and enterprise ready projects together with practical examples of how to use them.
 +
 +
Curriculum
 +
 +
* Part 1: OWASP Documentation Projects
 +
* Part 2: OWASP Tools
 +
* Part 3: Using OWASP in the Enterprise
 +
* Part 4: Using OWASP in the WADL (Web Application Development Lifecycle)
 +
 +
'''Hands on Exercises'''
 +
 +
The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.
 +
 +
'''Requirements'''
 +
 +
If you are interested in participating in the hands on portion of the course, please bring a laptop.
 +
 +
'''Registration'''
 +
 +
Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd
 +
 +
'''Tutorial Provider'''
 +
 +
This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)
 +
 +
== T6. ModSecurity Boot-Camp Training - 2-Day Course - Nov 12-13, 2007 ==
 +
 +
'''Course Overview'''
 +
 +
ModSecurity is currently the most widely deployed web application firewall (WAF) product.  This two-day, boot-camp class is designed for those people who want to quickly learn how to build, deploy, and use ModSecurity in the most effective manner possible.  The course will cover topics such as: the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers, and also provides an in-depth look at the extremely powerful ModSecurity Rules Language.  Learning how to take advantage of the power behind ModSecurity rules can help web security professionals write and configure highly effective rules to handle complex web vulnerabilities.  Hands-on labs with fully documented instructions help students deploy solid, secure ModSecurity installations and understand the inner workings of the premier open source web application firewall available today.
 +
 +
Curriculum
 +
 +
Day 1: Deployment and Management
 +
* Introduction to Web Application Firewalls
 +
* Overview of the Web Application Firewall Evaluation Criteria
 +
* Introduction to ModSecurity
 +
* ModSecurity architecture
 +
* ModSecurity deployment options
 +
* ModSecurity installation
 +
* ModSecurity configuration and operation
 +
* ModSecurity directives and features overview
 +
* ModSecurity rules primer
 +
* ModSecurity tuning
 +
* ModSecurity console deployment and usage
 +
 +
Day 2: Rules Writing Workshop
 +
* Introduction to ModSecurity’s Rule Language
 +
* Anatomy of a ModSecurity rule
 +
* Overview of PCRE
 +
* Variables
 +
* Transformation functions
 +
* Actions
 +
* Using advanced rule syntax with the “chain” action
 +
* Overview of the Core Rule set
 +
* Creating custom rules
 +
* Virtual Patching
 +
* Using initcol and setsid for stateful rules
 +
* Good rule writing practices
 +
* Testing rules
 +
* Tuning rules
 +
* Rule Debugging
 +
* Rule management
 +
 +
'''Hands on Exercises'''
 +
 +
Hands-on labs will include installation and use of the ModSecurity Console on day 1, and a unique challenge on day 2 where the participants will have to use ModSecurity to try and mitigate as many vulnerabilities as possible in the OWASP WebGoat application.
 +
 +
'''Requirements'''
 +
 +
If you are interested in participating in the hands on portion of the course, please bring a laptop.  The class will use a custom VMware image so you will need to have VMware Player, Workstation or Server pre-installed.  Additionally, some of the tools we will be using outside of the VMware host will require Java so ensure that you have installed/updated to the latest version.
 +
 +
'''Registration'''
 +
 +
Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd
 +
 +
'''Tutorial Provider'''
 +
 +
This tutorial is provided by Ryan Barnett (ModSecurity Community Manager and Director of Application Security Training at [http://www.breach.com http://www.owasp.org/images/9/9c/Breach_logo.gif])
 +
 +
* Special Note: Ivan Ristic, ModSecurity Creator and Breach Security Chief Evangelist, will be in attendance to answer questions and also to present on the ModSecurity development roadmap.

Latest revision as of 17:09, 9 November 2007

Contents

Conference Training Day - Two Day Training Courses - November 12th-13th, 2007

OWASP has arranged to have six 2-day Application Security training courses prior to the conference.

The first three courses will be provided by a long time contributor to OWASP, Aspect Security. The fourth course will be provided by another active OWASP member, the Arctec Group. The fifth course is being provided by Dinis Cruz, the OWASP Chief Evangelist. The sixth course is being presented by frequent OWASP/WASC contributor Breach Security. Most of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

T1
Building and Testing Secure Web Applications
T2
Secure Coding for Java EE
T3
Secure Coding .NET Web Applications
T4
Web Services and XML Security
T5
Leveraging OWASP Tools and Documents to Secure Your Enterprise
T6
ModSecurity Boot-Camp Training
*Note: Information corresponding to each training course is located below.

Pricing

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

Location

At eBay in San Jose. Same location as the conference. Click Here for Map From San Jose Airport From San Francisco Airport

Course Times

Each class begins at 9 AM and runs until 5:30 PM each day.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following web application security areas (which encompass the entire OWASP Top 10 plus more):

  • Authentication and Session Management
  • Access Control
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Input Validation
  • Protecting Sensitive Data (w/ Crypto)
  • Caching, Pooling, and Reuse Errors
  • Database Security (Including SQL Injection)
  • Error Handling and Logging
  • Denial of Service
  • Code Quality
  • Accessing Services Securely
  • Setting Security Policy
  • Integrating Security into the SDLC


For each area, the course covers the following:

  • Theoretical foundations
  • Recommended security policies
  • Common pitfalls when implementing
  • Details on historical exploits
  • Best practices for implementation

Hands on Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007

Summary

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:

  1. Java EE security overview,
  2. All coding examples and recommendations are specifically focused on Java and Java servers, and
  3. 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

To make room for this Java specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most Java EE based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how Java EE web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following Java EE web application security areas (which encompass the entire OWASP Top 10 plus more):

  • Authentication and Session Management
  • Access Control
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Input Validation
  • Protecting Sensitive Data (w/ Crypto)
  • Database Security (Including SQL Injection)
  • Error Handling and Logging
  • Code Quality

For each area, the course covers the following:

  • Theoretical foundations
  • Recommended security policies
  • Common pitfalls when implementing
  • Details on historical exploits
  • Best practices for implementation

Hands on Testing Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Hands on Coding Exercises (Only in Java specific version of this class!)

For this Java focused course, students will additionally have the opportunity to find, exploit, and then fix Java coding vulnerabilities in three different Java labs using Eclipse.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T3. Secure Coding .NET Web Applications - 2-Day Course - Nov 12-13, 2007

Summary

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:

  1. .NET Framework security overview,
  2. All coding examples and recommendations are specifically focused on .NET, and
  3. 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class.

This class covers, and includes examples from, both C# and ASP.NET.

To make room for this .NET specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for .NET course.

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most .NET based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how .NET web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following .NET web application security areas (which encompass the entire OWASP Top 10 plus more):

  • Authentication and Session Management
  • Access Control
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Input Validation
  • Protecting Sensitive Data (w/ Crypto)
  • Database Security (Including SQL Injection)
  • Error Handling and Logging
  • Code Quality

For each area, the course covers the following:

  • Theoretical foundations
  • Recommended security policies
  • Common pitfalls when implementing
  • Details on historical exploits
  • Best practices for implementation

Hands on Testing Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Hands on Coding Exercises (Only in .NET specific version of this class!)

For this .NET focused course, students will additionally have the opportunity to find, exploit, and then fix .NET coding vulnerabilities in three different .NET labs using Visual Studio.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007

Course Overview

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

Details

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

  • Web Services attack patterns
  • Common XML attack patterns
  • Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
  • Identity services and federation with SAML and Liberty
  • Hardening Web Services servers
  • Input validation for Web Services
  • Integrating Web Services securely with backend resources and applications using WS-Trust
  • Secure Exception handling in Web Services

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by Arctec_logo.jpeg

T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise - 2-Day Course - Nov 12-13, 2007

Course Overview

Apart from OWASP's Top 10, most OWASP projects (https://www.owasp.org/index.php/Category:OWASP_Project) are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Lifecycle (WADL)

This course aims to change that by providing detailed presentations of the most mature and enterprise ready projects together with practical examples of how to use them.

Curriculum

  • Part 1: OWASP Documentation Projects
  • Part 2: OWASP Tools
  • Part 3: Using OWASP in the Enterprise
  • Part 4: Using OWASP in the WADL (Web Application Development Lifecycle)

Hands on Exercises

The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a laptop.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

T6. ModSecurity Boot-Camp Training - 2-Day Course - Nov 12-13, 2007

Course Overview

ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day, boot-camp class is designed for those people who want to quickly learn how to build, deploy, and use ModSecurity in the most effective manner possible. The course will cover topics such as: the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers, and also provides an in-depth look at the extremely powerful ModSecurity Rules Language. Learning how to take advantage of the power behind ModSecurity rules can help web security professionals write and configure highly effective rules to handle complex web vulnerabilities. Hands-on labs with fully documented instructions help students deploy solid, secure ModSecurity installations and understand the inner workings of the premier open source web application firewall available today.

Curriculum

Day 1: Deployment and Management

  • Introduction to Web Application Firewalls
  • Overview of the Web Application Firewall Evaluation Criteria
  • Introduction to ModSecurity
  • ModSecurity architecture
  • ModSecurity deployment options
  • ModSecurity installation
  • ModSecurity configuration and operation
  • ModSecurity directives and features overview
  • ModSecurity rules primer
  • ModSecurity tuning
  • ModSecurity console deployment and usage

Day 2: Rules Writing Workshop

  • Introduction to ModSecurity’s Rule Language
  • Anatomy of a ModSecurity rule
  • Overview of PCRE
  • Variables
  • Transformation functions
  • Actions
  • Using advanced rule syntax with the “chain” action
  • Overview of the Core Rule set
  • Creating custom rules
  • Virtual Patching
  • Using initcol and setsid for stateful rules
  • Good rule writing practices
  • Testing rules
  • Tuning rules
  • Rule Debugging
  • Rule management

Hands on Exercises

Hands-on labs will include installation and use of the ModSecurity Console on day 1, and a unique challenge on day 2 where the participants will have to use ModSecurity to try and mitigate as many vulnerabilities as possible in the OWASP WebGoat application.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a laptop. The class will use a custom VMware image so you will need to have VMware Player, Workstation or Server pre-installed. Additionally, some of the tools we will be using outside of the VMware host will require Java so ensure that you have installed/updated to the latest version.

Registration

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

Tutorial Provider

This tutorial is provided by Ryan Barnett (ModSecurity Community Manager and Director of Application Security Training at Breach_logo.gif)

  • Special Note: Ivan Ristic, ModSecurity Creator and Breach Security Chief Evangelist, will be in attendance to answer questions and also to present on the ModSecurity development roadmap.