|SamuraiWTF: Integrating Manual Testing Techniques and Automated Testing Tools||Justin Searle||Course Abstract: One of the best skills a penetration tester can learn is not how to use a lot of penetration testing tools such as those on the SamuraiWTF DVD, but rather how to successfully integrate their manual testing techniques with all of those penetration testing tools. This one-day course focuses on this skill through two instructor-lead penetration tests followed by a capture-the-flag like student challenge. This course also introduces you to several of SamuraiWTF's testing tools such as Zed Attack Proxy (ZAP), w3af, and the latest Firefox extensions for penetration testing. This course is designed for persons new to penetration testing and for those persons with basic to intermediate experience with web application penetration testing. Please come prepared with VMware player, workstation, or fusion pre-installed.||$675 until 3/9 then $745||REGISTER NOW|
|Defense against the Dark Arts: ESAPI||Chris Schmidt||It has been said that software engineering is 10% engineering and 90% art. Given the same set of technical specifications, two engineers will have drastically different methods of addressing those specifications. This is the beauty of innovation and forward thinking, and while it is this type of creative problem solving that has kept the technical industry lurching forward in large strides – it is also the boon of application security. Enter the Enterprise Security API – a central repository for engineers to solve security concerns in application code. I have said many times that it should not be the responsibility of the engineers cranking out code every day to design security controls. It is difficult to remain on the bleeding edge of Application Security and Software Engineering at the same time and even more difficult to bring these two disciplines together into a cohesive, reusable component that addresses the threats specific to an organization.
This course will illustrate the importance of having an Enterprise Security API and how to effectively design, build and deploy a solution that addresses the Threat Model of the single application or enterprise application portfolio.
Topics Include (but are not necessarily limited to)
ESAPI Architecture; Security Controls Overview; OWASP Reference Implementations; Designing Custom Controls; Integrating with existing Applications; Starting Fresh; Enterprise Security Configuration; Error Handling, Logging and Intrusion Detection/Prevention; Authentication and Authorization; Validation and Encoding
|$675 until 3/9 then $745||REGISTER NOW|
|Threat Modeling: From the "cloud" on down||Matt Tesauro||Everyone knows that catching software vulnerabilities early is the best way to create secure software with the least cost (and drama). However, how do you do this in the Agile, Cloud-based application environment that we face today? This training walks you trough an overview of threat modeling techniques and tools with an eye on pragmatic solutions to real world problems. Using the topics covered in this class, you will learn how to determine and describe an applications attack surface, understand the probability of an attack while gaining insight into its impact. Whether you're looking to find design flaws early, eliminate low-hanging vulnerabilities or improve and optimize testing, the discussion and hands-on portions of this class provide real-world examples of application security. The hands-on portion draws lessons from actual software such as those powering web-scale, cloud software stacks allowing you to gain practical experience working through tough software problems.||$675 until 3/9 then $745||REGISTER NOW|