Black Hat Digital Self Defense USA 2006


Black Hat USA 2007 Briefings and Training
Caesars Palace, Las Vegas July 28-29 (Weekend) & July 30-31 (Weekday)

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Black Hat Registration

Building and Testing Secure Web Applications

Aspect Security

What to Bring:
Students need to provide their own Windows laptop with XP or Vista and a CDROM drive.

Training developers and software testers in application security offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building and Testing Secure Web Applications training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The
class is lead by an experienced application security practitioner and is delivered in a very interactive manner.

This class includes hands-on exercises where the students get to perform security analysis and testing on a live web application. This specially designed environment includes deliberate flaws the students have to find and diagnose. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.

Learning Objectives:
At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure applications and understand why this is important.

  • HTTP Fundamentals: Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)
  • Design Principles and Patterns: Understand and be able to apply application security design principles.
  • Threats: Be able to identify and explain common web application security threats (e.g. cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.
  • Authentication and Session Management: Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.
  • Access Control: Be able to implement access control rules for the user interface, business logic, and data layers.
  • Input Validation: Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.
  • Command Injection: Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.
  • Error Handling: Be able to implement a consistent error (exception) handling and logging approach for an entire web application.
  • Cryptography: Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.
  • Auditing and Logging: Be able to select and implement appropriate auditing/logging capabilities.
  • Denial of Service: Understand the variety of denial of service attacks and the techniques that can be employed to reduce the likelihood of a successful denial of service attack.
  • Verification: Be able to review their applications for common security vulnerabilities using code review and penetration testing techniques.
  • Web Services: Understand the factors involved in securing a Web Services capability.

Who Should Take This Course

  • Software developers in any web environment
  • Software testers
  • Security specialists
  • Application architects

Students need to provide their own Windows laptop with XP or Vista and a CDROM drive.


Aspect Security has been working with development teams around the country for years to help them identify, diagnose, and address security issues throughout the application development lifecycle. Through these efforts, they have learned the key practices that development and project managers, and key support personnel must know to achieve secure applications.

Aspect’s instructors are full-time application security specialists that spend the majority of their time working with clients to secure the nation’s most critical applications. Leveraging this practical experience brings the class to life. Students will gain valuable insight into lessons learned from other development organizations. Our instructors also make themselves available to you for application security questions after the course is complete. Aspect is a Founding OWASP Member and supports several OWASP projects. In particular, Aspect conceived the OWASP Top Ten project and led the effort to build the document. We also built WebGoat and Stinger and donated them to the OWASP effort. Aspect personnel assist with the management of the OWASP Foundation and help run the OWASP AppSec conference series.

Black Hat Registration

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.


Ends May 31, 2007

Ends July 19, 2007

Begins July 20, 2007




Black Hat Logo
(c) 1996-2007 Black Hat