What to bring:
Participants are requested to bring their own laptops
The course is OS friendly Participants using Windows 2000, Linux, Mac OS X are all welcome. The course is Internet independent.
This course is an intense two-day journey into the innards of web application security. Brought to you by the authors of “Web Hacking: Attacks and Defense”, the class is based on case studies of real-life web applications riddled with security problems. Participants are given a hands-on experience in performing thorough application security reviews, as well as secure coding and application deployment techniques.
The course is based on a highly proven application testing methodology, encompassing black box and white box testing techniques, application security principles and practices, and real world examples.
During the course, the participants are introduced to a web application, which they have to secure by the end of the training class. The application lockdown exercise takes the participants through various concepts such as:
- Understanding application security issues
- Application testing methodologies
- Secure application deployment
- Secure coding techniques
- Security by design.
The “Web Applications: Attacks and Defense” class features web applications written using ASP or PHP, encompassing security issues such as:
- Exception handling
- SQL injection
- Remote command execution
- Data tampering
- Cross site scripting
The advanced edition of the “Web Applications: Attacks and Defense” class features a more complex web application, written using ASP, PHP, ASP.NET or Java/JSP. In addition to the regular class, the advanced edition class includes security issues such as:
- Preventing session hijacking
- Privilege escalation
- Advanced SQL security with stored procedures
Participants may choose their platform of expertise (Windows IIS+SQL Server+ASP, Windows .NET, Linux Apache+MySQL+PHP or Linux J2EE+Oracle) when taking the class. This class involves rigorous hands-on exercises.
Key Learning Objectives:
- Problems that occur when developing a web application.
- Security issues when deploying a web application.
- Web application security testing
- Securely configuring web servers
- Secure coding techniques
- Spotting basic errors in web application code
- Basic error handling techniques
General Learning Objectives:
- Developing procedures to test and maintain the security of a web application.
- Source code review procedures.
- Proficiency with security testing tools and procedures
Who Should Attend:
- Developers: Learn what can go wrong with badly written application code, and how to prevent such errors.
- Web site administrators: Learn how to securely configure a web server and an application server, without compromising on functionality.
- Application security analysts: Learn how to systematically analyse and audit a web application.
- Project managers / IT managers: Learn how to be effective in maintaining a secure web application, going ahead.
Course Length: 2 days
Cost: US $1800 before July 1, 2004 or US $2000 after July 1, 2004
NOTE: this is a two day course. A Certificate of Completion will be offered.
Saumil Udayan Shah
Founder and Director, Net-Square Solutions Pvt. Ltd.
Saumil continues to lead the efforts in e-commerce security research at Net-Square. His focus is on researching vulnerabilities with various e-commerce and web based application systems. Saumil also provides information security consulting services to Net-Square clients, specializing in ethical hacking and security architecture. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than nine years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a regular speaker at security conferences such as BlackHat, RSA, etc.
Previously, Saumil was the Director of Indian operations for Foundstone Inc, where he was instrumental in developing their web application security assessment methodology, the web assessment component of FoundScan - Foundstone's Managed Security Services software and was instrumental in pioneering Foundstone's Ultimate Web Hacking training class.
Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young, where he was responsible for the company's ethical hacking and security architecture solutions. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member there.
Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)