RSS feed logo header graphic

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3 & August 4-5

Application Security - an Enterprise Approach

Security Compass

registration button


Most of the current effort in Application Security is directed towards securing applications after deployment to production. In an ideal environment however, security is at the forefront of daily operations, saving an organization time and money. This course aims to make this a reality by teaching executives and information security managers their important role in Application Security, giving them a general understanding of the threat landscape, and outlining the controls they may use to start or enhance their current Application Security Program. A major case study and various hands-on components are used to guide students in understanding their role and how they can improve their organization’s overall security posture.

Lerarning Objectives

Students who take this course will be able to:

  • Understand the threat landscape in application security
  • Acquire the toolset required for securing and assessing their applications
  • Learn aspects of Secure SDLC
  • Be able to articulate a plan to start an Application Security Program
  • Learn metrics to aid in assessing organization’s application security posture
  • Be able to confidently promote application security throughout the organization

Who Should Attend

  • CISO’s and CSO’s
  • Information security managers
  • Designated security experts
  • Anyone with a desire to understand an enterprise approach to application security

Course Syllabus

Part 1: Application Security Basics

  • Introduction to Application Security
  • Ethical and unethical Issues

Part 2: Application Security – The Threat Landscape

  • Attack vectors
  • Authentication, authorization, and session management
  • Input validation
  • Cryptography, Error handling, other concepts

Part 3: Application Security - Architecture & Security Principles

  • Application design principles/li>
  • Application components
  • Application architecture
  • Principles of security (The Good)
  • Principles of security (The Bad)

Part 4: Secure SDLC

  • Security fundamentals: confidentiality, integrity, and availability
  • Data classification
  • Secure requirements
  • Secure architecture

Part 5: Factors in developing an Application Security Program

  • Policies, procedures, baselines and guidelines
  • Key players in application security
  • Training and awareness
  • Threat analysis
  • Audits and penetration testing
  • Risk analysis
  • ROI and Application Security.


Nish Bhalla a quoted expert and a well published author is a veteran in the information security field. Having over a decades’ combined experience as a developer and network security administrator, Nish has a in-depth understanding of security issues. As the founder of Security Compass Nish, a technocrat at heart, not only manages and gives direction to the company but also is actively involved in research on various attack vectors.

Nish Bhalla is a frequent speaker on emerging security issues. He has spoke at reputed Security Conferences such as at “BlackHat Europe”, "Reverse Engineering Conference", "HackInTheBox", “Shmoocon”, “CSI” and "ISC2's Infosec Conference". He also has created and taught the Exploiting & Defending Classes for Security Compass.

Prior to joining Security Compass, Nish was a Principal Consultant at Foundstone, where he performed numerous security reviews (Web Application / Code / Policy ) for major software companies, online banking and trading & e-commerce sites. He also helped develop and teach the "Secure Coding" class, the Ultimate xHacking, Ultimate Web Hacking and Ultimate Hacking Expert classes. Prior to working at Foundstone, Nish provided engineering and security consulting services as an independent consultant to a variety of organizations including Sun Microsystems, Lucent Technologies, TD Waterhouse & The Axa Group.

Nish is a noted expert in application security and has delivered many talks and training sessions. He is scheduled to speak at RSA, CSI and other conferences during 2008.

Nish has been interviewed by, and quoted in, many publications including CSO Online and Government News. He has written articles and been published in security portals like Security Focus and hackin9. Nish has also co-authored and contributed to many books including Hacking Exposed Web Applications (2nd Edition), Buffer Overflow Attacks: Detect, Exploit & Prevent, Windows XP Professional Security, HackNotes: Network Security and Writing Security Tools and Exploits. Nish has also been involved in the open source projects such as YASSP and OWASP, and is the chair of the Toronto Chapter.

Nish holds his Masters in Parallel Processing from Sheffield University, is a postgraduate in Finance from Strathclyde University and a Bachelor in Commerce from Bangalore University.

Oliver Lavery brings a decade of experience in security software development and consulting to the Security Compass team. As an experienced software architect Oliver has an extensive understanding of software development and design issues, as well as the practical realities of building security into the software development life-cycle. At the same time, as a renowned security researcher Oliver has a deep understanding of application and network security issues. This dual background brings a unique insight to bear on Security Compass’ projects.

Prior to joining Security Compass, Oliver Lavery was engaged as Chief Scientist at PivX Solutions inc. where he was responsible for overseeing the design and development of an award winning Intrusion Prevention System product line, in-depth vulnerability analysis as part of a cutting-edge research team, and provided consulting services to international corporations.

In the past Oliver has worked with internationally recognized cryptographers on privacy issues as part of Zero Knowledge systems Inc, has provided consulting and development services for clients including MCI, Unilever, Rational Software, and Sun Microsystems, and has participated in bringing a variety of commercial software applications from conception to release. As a security consultant he has been engaged on a variety of projects focusing on network and application penetration testing, reverse-engineering, security code review, vulnerability analysis, forensics, and design oversight of secure systems.

Oliver is a noted expert in information security and has published ground-breaking vulnerabilities in Microsoft Windows, Internet Explorer, and well known applications running on the Windows platform. Most notably a paper authored by Oliver reintroduced a class of vulnerabilities in Windows that resulted in a slew of patches from Microsoft and major software vendors.

Oliver has spoken at Austin GameCon on security issues in massively multiplayer online games along with senior executives from Sony Online Entertainment, Electronic Arts, and Ubisoft. He has also spoken for ZDNet on the security improvements in Windows XP SP2, and interviews with Oliver have run on CNET and its international affiliates, Slate Magazine, major US radio stations, and numerous minor publications.

Security software designed by Oliver has been endorsed by Microsoft, won awards from Secure Computing magazine and Datamation, and was acknowledged with an award of excellence from the AeA (American Electronics Association).

registration button

Ends May 1

Ends July 1

Ends July 31

August 1

USD 2000

USD 2200

USD 2400

USD 2700

1997-2009 Black Hat ™