Trainiing

Note: if the class is overfilled, then you will be wait-listed until there are enough students to fill a second class. You will be contacted should this occur.

training

USA 2002 Training
Caesars Palace, Las Vegas, NV
July 29-30, 2002

All course materials, lunch and two coffee breaks will be provided.
You must provide your own laptop.

Course Length: 1 day

This class is SOLD OUT

course description
One Day Course
Tuesday, July 30
Secure Development of Data-Driven Web Applications
Timothy Mullen
What to bring:
Students should bring their own network-ready laptops preferably running NT or Win2k with CDRom drive and an open mind.  A CD will be provided with reference material, sample code, and utilities.

Deploying a poorly designed web application can be like propping open the Front Door into your network infrastructure.  The vulnerabilities introduced by these design flaws can be exploited with different techniques of SQL injection, URL manipulation, error/debug code analysis, and other insidious methods.

Since detection of these attack modes can be difficult (or sometimes impossible when made over secure channels), it not only important to learn how these attacks are structured; one must learn how to build an application whose very structure mitigates the impact these techniques can have.

In contrast to many Blackhat sessions flavored toward the "exploit" side of things, this session will concentrate on the techniques and methods used to protect your network from these types of vulnerabilities, and "best practices" to follow when developing your data-driven applications.

With content specific to Microsoft IIS5 and SQL2000 utilizing ASP and ADODB, this course will provide an overview of a typical application's lifespan from the design and planning stage, through to its production and deployment.

The course will be broken into two main areas of study:  Development and Implementation.

Development:
During the development phase, we will cover the following:

  1. Web Form Design
  2. User Input Validation and Sterilization
  3. SQL query string construction
  4. Data object instantiation
  5. Parameter typing and passing
  6. SQL database design
  7. Stored procedure design and execution

Implementation:
Implementation will cover the following specific technologies:

  1. Microsoft IIS5 server configuration and hardening
  2. Microsoft SQL2000 server configuration and hardening
  3. SQL mixed mode authentication and pitfalls
  4. SQL Integrated mode, user/group structure, and procedure permissions
  5. Real-world deployments, vulnerabilities, and consideration

Course Length: 1 day

This class is SOLD OUT

Trainer:

Timothy Mullen is CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions.  Mullen is also a columnist for Security Focus' Microsoft Focus section, and a regular contributor of InFocus technical articles.  A.k.a. Thor, he is the founder of the "Hammer of God" security co-op group.

Black Hat Logo
(c) 1996-2007 Black Hat