Europe 2009 Tutorials
This year we bring you eight(!) 1- and 2-day tutorials from the best application security experts!
The tutorial are in the same venue as the conference.
2-day tutorials (May 11-12)
Hands on application security with the OWASP Live CD, by Matt Tesauro, Texas Education Agency
The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or noncommercial use.
More information is available at: Category:OWASP Live CD Project
Students will need to bring their laptop with them.
Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&M Mays Business School. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP Live CD, a member of the OWASP Global Tools and Projects Committee, part of the local OWASP chapters leadership and the membership directory of ISSA of Austin, Tx. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.
Web Services Security, by Dave Wichers, Aspect Security
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. Building Secure Web Services introduces the student to all of the commonly used web services and SOA functional and security standards (including web services, XML, HTTP, and SOA standards), and then focuses on presenting effective ways for providing the security characteristics required in each of the core web services security areas. These areas include encryption, authentication, access control, input validation, error handling and logging, etc.
The course starts with a module on the core functional and security standards involved in web services and an overview of web services security. This is followed by a high level approach for doing threat modeling for web services enabled applications.
After this introduction, each web services vulnerability area is covered in detail, discussing the common threats and alternate approaches for addressing those threats, including both standards based (where they exist) and best practice based security approaches. This course teaches practical implementation and testing techniques, including the use of hands on testing exercises to discover and exploit web services vulnerabilities as well as hands on solution development exercises for eliminating these vulnerabilities.
The course concludes with coverage on how to establish trust between services, some exercises on applying what we have learned, and then a significant discussion on SOA and its impact on web services security.
The course outline for this course is as follows:
- Introduction to Web Services Security
- Web Services Security Threat Modeling
- How to Secure Web Services Communications and Protect Sensitive Data (e.g., XML Encryption/Signature)
- Managing Authentication and Identity within Web Services (e.g., SAML, WS-Trust, WS-Secure Conversation)
- How to Control Access to Web Services (e.g., SAML, XACML, XML Gateways)
- How to Validate Input and Protect Output in Web Services (e.g., DTDs, XSDs, custom)
- Error Handling, Logging, Accountability, and Monitoring within Web Services
- Providing and Protecting Discovery Services (UDDI)
- Establishing Trust between Services (e.g., WS-Security, SAML, WS-Federation)
- Applying What We’ve Learned
- Service Oriented Architectures (SOA)
Hands on Exercises: To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.
Requirements: If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
Dave Wichers is the COO and cofounder of Aspect, where he is responsible for running daily operations of the company. Prior to founding Aspect, Dave started and ran the application security practice at Exodus Communications, which provided a full suite of application security consulting services to Fortune 500 and other commercial companies starting in 1998. Dave has focused on information security during his entire career, starting in 1988. His information security background spans the entire security engineering lifecycle, including software development, system security requirements, security architectures, secure designs, security policies, models, and system testing. He has supported the design and development of trusted operating systems, trusted databases, secure routers, multilevel secure guards, and large integrated systems for a wide variety of customers, including NSA, DoD, and Fortune 500 vendors and end customers. Dave is a primary author of the OWASP Top 10 Web Application Security Vulnerabilities and is the OWASP Conferences Chair. He was also a primary contributor to the group responsible for creating ISO 21827, the Systems Security Engineering Capability Maturity Model (SSE-CMM). Dave earned a B.S. summa cum laude in Computer Systems Engineering from Arizona State University and an M.S. summa cum laude in Computer Science from the University of California at Davis. Dave holds both CISSP and CISM certifications.
Advanced Testing, by Michael Coates, Aspect Security
While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.
This two day course is designed to teach existing web application developers how to test for security issues. Participants of this course will learn how to scope a security review and prioritize the work, understand the manual and automated tools and techniques available and when to apply them, and learn how to determine the real risk value. In order to achieve these goals, students will assess the OWASP Top Ten security areas within a real world application.
This course will utilize a modified version of the Java Pet Store J2EE web application provided by the Blueprints project. Not only will we identify vulnerabilities introduced into the application, but students will also be asked to identify actual 0-day vulnerabilities existing in the Java Pet Store baseline! Students gain hands-on testing experience with freely available web application security test tools to find and diagnose flaws and learn to identify them in their own projects. The students are then guided through the process of how to create and communicate effective software security flaw descriptions for the flaws they have discovered.
Students need to be very familiar with common web application security issues including the OWASP Top Ten. As an advanced class, students should already have had some basic experience doing web application security testing. At a minimum, the students should have already gone through and solved most of the web application security lessons in OWASP's WebGoat or have experienced similar testing activities.
Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and is completing a Masters Degree in Computer Security from DePaul University. In past years, Michael assessed the security of GSM and WiMAX telecommunication networks, application and network systems for financial institutions and performed social engineering testing.
1-day tutorials (May 11)
Web 2.0 Hacking – Attacks & Countermeasures, by Shreeraj Shah, Blueinfy
Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.
The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. The class features real life cases, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.
We are going to address following topics in detail:
- Application security fundamentals: Application evolution, Web 2.0 framework, Layered threats, Threat models, Attack vectors and Hacker’s perspective.
- Application infrastructure overview: Protocols (HTTP/SSL), SOAP, XML-RPC, REST, Tools for analysis, Server layers and Browsers with plugins.
- Application Architecture: Overview to .NET and J2EE application frameworks, Web 2.0 application architecture, Widgets framework, Application layers and components, Resources and interactions, other languages.
- Advanced Web Technologies: Ajax, Rich Internet Applications (RIA) and Web Services.
- Application attack vectors and detail understanding: SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Path traversal, Session hijacking, LDAP/XPATH/Command injection, Buffer overflow, Input validation bypassing, Database hacks and Blind SQL injections.
- Advanced Attacks: Ajax based XSS, CSRF with Web Services, Decompiling Flash and RIA apps, WSDL scanning, XML poisoning, SQL injections through XML, External Entity attacks, Widget exploitation, RSS injections, Cross Domain bypass, and many more.
- Application methodologies: Blackbox /Whitebox approaches, tools, techniques and little tricks
- Advanced application footprinting and discovery: Leveraging search engines, Cross domain mashup discovery and Web 2.0 application domain enumeration.
- Fingerprinting: Web and Application server, Ajax framework, Flash based application and technology fingerprinting.
- Web Fuzzing: Fuzzing XML, JSON, RPCs etc. for vulnerability detection.
- Scanning Web Services: Footprinting, discovery, scanning and attacking XML-RPC, SOAP and REST based applications.
- Scanning for vulnerabilities through Source: Function and Method signature mapping, entry point identification, data access layer calls, tracing variables and functions.
- Applying validations: Input validations, Output validations, Data access filtering, and Authentication validates.
- Web Application Firewall: Advanced content filtering by tools and techniques.
Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.
Web Application Security for Managers and Executives – The Road Less Travelled, by Mano Paul, SecuRisk Solutions
With the financial turn tables of major corporations resting on web applications that connect businesses, transmit and store sensitive financial and personal transaction, combined with the ubiquitous nature of the web; it is imperative that web applications that are designed, architected and developed are secure.
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowned poet, Robert Frost ends by with the statement "And that has made all the difference". Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective that would make ALL the difference for you and your company.
- Changing Landscape
- Drivers of Web Application Security (Exercise)
- Method to the Madness
- Attackers Advantage vs. Defenders Dilemma
- Stakeholders (Exercise)
- Boardroom Questions
- Business Aware IT Security (BAITS)
- Regulations, Compliance and Security
- SOX, GLBA, HIPAA ...
- European Data Protection Directive
- PCI DSS
- Software Security Concepts
- Design Principles (Saltzer & Schroeder)
- Economy of Mechanisms
- Fail Safe Defaults
- Complete Mediation
- Open Design
- Separation of Privilege
- Least Privilege
- Least Common Mechanisms
- Psychological Acceptability
- Security Mechanisms (CIA+AAA+Mgmt)
- Management - Session, Exceptions, Configuration
- Design Principles (Saltzer & Schroeder)
- Security in the SDLC - Requirements to Release
- 7 Steps to securing applications
- SD4 - Secure by Default, Design, Development, and Deployment
- Information Security Management Top 10 (real world stories and tips)
- OWASP Top 10 (covers what it is, anatomy (how it works), and defense)
- Software Risk Management
- Security in an Outsourced World
- Web 2.0 Security
- Self Service Programs
- Awareness, Training & Education
- Hiring and Staffing
- Information Security Program Framework
- The Road less Travelled - Fun interactive session that covers security from Literature, Science and Nature
Mano Paul (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions and Express Certifications. He is a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also appointed the Software Assurance Advisor for (ISC)2, representing and advising the organization on software assurance strategy, training, education and certification. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. Before Express Certifications and SecuRisk Solutions, Mano played several roles from software developer, quality assurance engineer, logistics manager, technical architect, IT strategist and security engineer/program manager/strategist at Dell Inc. Mano is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN). He has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, SC World Congress, and TRISC. Mano holds the following professional certifications - CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+ and ECSA certification.
1-day tutorials (May 12)
In-depth Assessment Techniques: Design, Code, and Runtime, by Pravir Chandra, Cognosticus
This tutorial is targeted at those wanting to enhance their software assessment skills. Specifically, the tutorial teaches attendees techniques for design analysis, code review, and penetration testing that uncover a wide variety of vulnerabilities and weaknesses in applications. If you have pre-existing skills and want to learn more this course is perfect. The tutorial will generally focus on web applications, but most information applies to software of any type. In addition, attendees will learn general methods for protecting against the security issues uncovered by each assessment technique.
The turorial topics include:
- System decomposition for analysis
- Lightweight threat/risk modeling
- Identifying interfaces/attack surface
- Testing business logic and edge cases
- Assessing for provision of security mechanisms
- Assessing for key vulnerability classes
- Risk classification and weighting
- Root cause analysis and patching
The tutorial has a primary focus on intermediate/advanced assessment and testing concepts for architects and developers. Automated security assessment tools will be discussed in context, but not demoed.
Pravir Chandra, is widely recognized in the industry for his expertise in security-based code analysis, and also for his ability to apply this knowledge strategically from a business perspective. He was most recently affiliated with Secure Software, Inc., where he was Co-Founder and Chief Security Architect. Previously, he managed an Operations Security group at AOL Time Warner where he supervised the build-out and maintenance of critical security infrastructure for the company and spent time as a research associate at Cigital. Pravir’s book, Network Security with Open SSL is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes serving as Project Lead for the Comprehensive Lightweight Application Security Process (CLASP) project with the Open Web Application Security Project (OWASP) Foundation.
Introduction to ModSecurity, the Apache Security Module, by Christian Folini, Netnea (christian.folini 'at' netnea.com)
The training session adresses technical users with a good understanding of http, but no previous knowledge of ModSecurity. The programm will be a mix of presentations, lab sessions and discussions about the merits of web application firewalls and online security in general. The attendees will recieve the basic knowledge to use ModSecurity at home and the means to configure the module in real world situations. They will thus also get an overview about the documentation and community support offerings.
Tutorial program in 7 lessons
- LAB: Rules I
- Architecture I
- Core Rules (1/2 lesson)
- Alerts and Logs (1/2 lesson)
- HTTP - A closer look
- Architecture II
- Rules II
Attendees have to bring their own laptop.
Christian Folini, tbd Christian has contributed to various Apache and ModSecurity related mailinglists and blogs. He developped Remo, a rule editor for ModSecurity.
Threat Modeling, by John Steven, Cigital
How will attackers break your web application? How much security testing is enough? Do I have to worry about insiders? Threat modeling, applied with a risk management approach can answer both of these questions if done correctly. This talk will present advanced threat modeling step-wise through examples and exercises using the Java EE platform and focusing on authentication, authorization, and session management. Participants will learn, through interactive exercise on real software architectures, how to use diagramming techniques to explicitly document threats their applications face, identify how assets worth protecting manifest themselves within the system, and enumerate the attack vectors these threats take advantage of. Participants will then engage in secure design activities, learning how to use the threat model to specify compensating controls for specified attack vectors. Finally, we'll discuss how the model can drive security testing and validate an application resists specified attack.
John Steven, Senior Director, Advanced Technology Consulting Cigital, brings to this newly-created division of the company both depth and breadth in software security. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.