Prerequisites:

Students need to be very familiar with common web application security issues including the OWASP Top Ten. As an advanced class, students should already have had some basic experience doing web application security testing. At a minimum, the students should have already gone through and solved most of the web application security lessons in OWASP's WebGoat or have experienced similar testing activities.

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 4-5

Advanced Web Application Penetration Testing: Black Hat Edition

Aspect Security

Overview

This two-day course is designed to teach web application security testers how to become more effective, organized, and methodical in their approach to web application security testing. Participants of this course will learn how to scope a security review and prioritize the work, understand the manual and automated tools and techniques available and when and how to apply them, and learn how to determine the real risk value. In order to achieve these goals, students will assess a real world application against the OWASP Top Ten security areas. The Black Hat specific course will utilize a modified version of the Java Pet Store J2EE web application provided by the Blueprints project. Not only will we identify vulnerabilities introduced into the application, but students will also be asked to identify actual 0-day vulnerabilities existing in the Java Pet Store baseline! Students gain hands-on testing experience with freely available web application security test tools to find and diagnose flaws and learn to identify them in their own projects. The students are then guided through the process of how to create and communicate effective software security flaw descriptions for the flaws they have discovered.

While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.

Who Should Attend

The intended audience for this course is:

Software security testers and code reviewers
Designated security experts
Architects with a desire to understand more about security

Learning Objectives

At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure applications and understand why this is important.

Security Planning - Scope a security review and prioritize the work

Penetration Testing - Understand the tools and techniques available and when to apply them

Code Review - Understand the tools and techniques available and when to apply them

Risk Management - Learn to diagnose a finding in terms of likelihood and impact.

Trainer:

Aspect Security has been working with development teams around the country for years to help them identify, diagnose, and address security issues throughout the application development lifecycle. Through these efforts, they have learned the key practices that development and project managers, and key support personnel must know to achieve secure applications.

Aspect’s instructors are full-time application security specialists that spend the majority of their time working with clients to secure the nation’s most critical applications. Leveraging this practical experience brings the class to life. Students will gain valuable insight into lessons learned from other development organizations. Our instructors also make themselves available to you for application security questions after the course is complete.

Aspect is a founding OWASP Member and supports several OWASP projects. In particular, Aspect conceived the OWASP Top Ten project and led the effort to build the document. We also built WebGoat, ESAPI, Stinger, and CSRFGuard and donated them to the OWASP effort. Aspect personnel assist with the management of the OWASP Foundation and help run the OWASP AppSec conference series.

Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project.

Early: Ends May 1	Regular: Ends July 1	Late: Ends July 31	Late/Onsite: Begins August 1
USD 2000	USD 2200	USD 2400	USD 2700