Remote Testing for Common Web Application Security Threats

From OWASP
Revision as of 16:11, 21 September 2010 by Mark.bristow (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

468x60-banner-2010.gif

Registration | Hotel | Walter E. Washington Convention Center

Description

Course Length: 2 Days

The proliferation of web-based applications has increased the enterprise's exposure to a variety of threats. There are overarching steps that can and should be taken at various steps in the application's lifecycle to prevent or mitigate these threats, such as implementing secure design and coding practices, performing source code audits, and maintaining proper audit trails to detect unauthorized use.

This workshop will enable students to test the security of web-based applications from the perspective of the end user. Security testing helps to fulfill industry best practices and validate implementation. Security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.

The most common threats and their potential impact will be covered (based on the industry standard OWASP "Top Ten" – see http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project). Hands-on labs and demonstrations will be used to teach the tools and techniques needed to remotely detect and validate the presence of these threats.

Student Requirements

You will need to bring your own notebook computer. Each student will be given a virtual machine containing open-source OS, tools, documentation, and targets for a fully self-containing web app security testing environment. Training will feature the open-source project “Web Application Security Dojo” (http://dojo.mavensecurity.com)


Student systems should meet the following minimum requirements

  1. Prior to the workshop install the latest stable version of VirtualBox. (Free from [1]). VirtualBox runs on almost any OS (sorry, no Amiga support).
  2. Your system should be updated with the latest security patches for your own protection if you opt to get on the classroom/conference network.
  3. If you use a Windows OS then the file system must be NTFS or better in order to handle large files. FAT32 will not work! See [2] for help determining which file system you have.
  4. Optional: Wifi network card. A network connection is not required because the virtual machine will contain the targets – however, Internet access is always handy.
  5. Optional: Student should have Administrator access to the OS in case they need to install new software during class. This will not be necessary once VirtualBox is installed. Again, be sure to have VirtualBox installed (step 1 above) before you arrive at class.
  6. Hard drive should have at least 5 GB of free space.
  7. 1 GB of RAM (more is better); 2 GB of RAM if you are using Vista.
  8. Modern CPU (last 2-3 years); if you have 1+ GB of RAM you are probably fine.


Objectives

Skill: Basic, Intermediate, Advanced

  1. Understand the security threats facing web applications.
  2. Learn the tools and techniques to remotely validate a web application's security.
  3. Enhance secure programming practices by raising awareness and giving developers and auditors the tools & knowledge needed to test their web application’s security from the user's perspective.
  4. Suggestions for mitigating security risks in web applications

Instructor

Instructor: David Rhoades is a senior consultant with Maven Security Consulting Inc. ([www.mavensecurity.com]). Maven Security Consulting Inc. is a Delaware corporation that provides information security assessments and training services to a global clientele.

David’s expertise includes web application security, network security architectures, and vulnerability assessments. Past customers have included domestic and international companies in various industries, as well as various US government agencies. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore).

David has taught at various security conferences around the globe, including for USENIX (www.usenix.org), MIS Training Institute ([www.misti.com]), and ISACA ([www.isaca.org]).

David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University (psu.edu).]]]