Web-based applications are the technology delivery vehicle du jour—almost everyone has one or two home-grown web applications on their network. If you are concerned with the security of web applications and the insecurity they introduce to your back end information systems this is the workshop for you.

Want to design a web application capable of thwarting current and future threats? The ability to protect the confidential data exposed by your web application requires an understanding of the failings of the web medium.

Developers must incorporate techniques that address fundamental security requirements and offer protection against future attacks without compromising the intended functionality of the web application. Meanwhile, consultants and auditors must be able to understand and execute concise methodologies that allow them to assess the security posture and make recommendations for hardening the web application.

Taught by 6 seasoned experts in web application security, this course exposes real-world examples of pitfalls in web application design and lays out processes for avoiding future exposures and attack vectors. Additionally, this course will show how to properly assess the security of your web applications using methods both NGS and Special Ops Security currently employ on security assessments and penetration tests. Students will benefit from hands-on lab exercises and a high student to teacher ratio.

By the end of this course, delegates should be able to: 

• Apply best-practices in web application design
• Understand the reasons behind web exploitation
• Successfully prevent most automated attack vectors
• Understand the security significance of various design compromises
• Accurately assess the overall security of a web-based application

Who Should Attend?
Internal security teams, web developers, and security consultants concerned with the security of home-grown web applications and the exposure they have to back end information systems

Key Learning Objectives

• Application Topology
• Application Caching and Proxies
• Authentication and Access Control
• Managing Access
• Session Handling
• Data Validation
• Cryptography
• Event Logging
• Installation and Configuration
• Data Content
• Testing Techniques
• Attack Vectors

ISC² CISSP/SCCP CPE Credits
Students are eligible to receive 16 Continuing Professional Education (CPE) credits upon completion of class. Black Hat will automatically forward your information to ISC².

Erik Pace Birkholz
Founder and President, Special Ops Security, Inc.

Erik Pace Birkholz (CISSP, ISSAP, MCSE) is the Founder and President of Special Ops Security, Inc. Since 1995, Birkholz has performed hundreds of vulnerability assessments, penetration tests, host security reviews, web application assessments and security infrastructure reviews for many of the largest corporations in the world. He is the author of the best-selling book "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle" (Syngress, ISBN 1931836698). He is also a contributing author of five international best-selling books for Osborne/McGraw-Hill including "SQL Server Security, Hacking Windows 2000 Exposed" and three editions of the international best-selling series, "Hacking Exposed: Network Security Secrets and Solutions". Most recently, as Series Editor, he authored the Foreword for "Security Sage’s Guide to Hardening the Network Infrastructure".

Before founding Special Ops Security, Erik was a charter member (Principal Consultant and Lead Instructor) of Foundstone from inception to its acquisition by McAfee in October 2004. Prior to accepting the role of Principal Consultant at Foundstone in 2000, he served as the West Coast Assessment Lead for Internet Security Systems (ISS), a Senior Consultant for Ernst & Young’s National Attack and Penetration team and a Consultant for KPMG’s Information Risk Management group. Erik holds a Bachelor’s of Science degree in Computer Science from Dickinson College in Carlisle, Pennsylvania. In 1999, he was named a Metzger Conway Fellow, an annual award presented to a distinguished Dickinson alumnus who has achieved excellence in his or her field of study. Additionally, Mr. Birkholz is a Subject Matter Expert for the Information Assurance Technology Analysis Center (IATAC); a Department of Defense entity that belongs to the Defense Technical Information Center.

Chip Andrews
Founder and Director of Research and Development, Special Ops Security, Inc.

Chip Andrews (CISSP, MCDBA) is the Director of Research and Development for Special Ops Security, Inc. Chip is the founder of the SQLSecurity.com website which focuses on Microsoft SQL Server security topics and issues. He has over 14 years of secure software development experience helping customers design, develop, deploy and maintain reliable and secure software. He regularly performs security assessments and penetration tests in a myriad of environments including Microsoft, UNIX, client/server applications, web-based applications, and multiple database platforms. Chip specializes in application- layer vulnerabilities and is adept at finding unintended access vectors into back-end systems using flaws in custom-developed application software; this usually allows unauthorized access even in well maintained systems.

Chip has been a primary and contributing author to several books including "Special Ops: Network and Host Security for Microsoft, Oracle and UNIX" (Syngress, ISBN 1931836698), "SQL Server Security" (Osborne, ISBN 0072225157), and "Hacking Exposed: Windows 2000" (McGraw-Hill, ISBN 0072192623). He also served as a technical reviewer for the book "SQL Server Security Distilled" (Curlingstone, ISBN 1590591925). Chip has also authored articles for magazines such as Microsoft Certified Professional Magazine, SQL Server Magazine, and Dr. Dobb's Journal focusing on SQL Server security and software development issues. He is a prominent speaker at security conferences such as the Black Hat Briefings, where he provides expertise on Microsoft SQL Server security issues and secure application design.

Before founding Special Ops Security, Chip was a Software Security Architect for several software development companies and specialized in application penetration testing and security training for everyone involved in the development process from design to deployment. In addition, he incorporated secure development practices into the software development life cycle including threat modeling, security unit testing, checklists, code review and code generation. Prior to that, Chip was a Senior Consultant for Computer Associates in the eTrust security consulting division specializing in intrusion detection, access control, and security assessments. Chip holds a Bachelors degree in Applied Computer Science from Southern Polytechnic State University in Marietta, Georgia.

Steve Andrés
Founder and Chief Technology Officer, Special Ops Security, Inc.

Steven Andrés (CISSP, ISSAP, ISSMP, CCNP, CCSE, MCSE) is the Chief Technology Officer for Special Ops Security, Inc., an information security consulting, training and deployment services organization headquartered in Orange County, California. He is the author of the leading secure infrastructure guide, "Security Sage’s Guide to Hardening the Network Infrastructure" (Syngress, ISBN 1931836019), published in April 2004. His other works include the internationally best-selling "Hacking Exposed: Network Security Secrets & Solutions, Fourth Edition" (McGraw-Hill, ISBN 0072227427) as well as the definitive publication on internal network security, "Special Ops: Network and Host Security for Microsoft, Oracle and UNIX" (Syngress, ISBN 1931836698), for which the company is named.

Prior to Special Ops Security, Steven was the Director of Technical Operations for Foundstone, a vulnerability management and strategic security professional services company, acquired by McAfee in late 2004. Steven managed the infrastructure and ensured the confidentiality of sensitive client data within the Foundstone On-Demand Service. Steven is the co-inventor of the award-winning Foundstone FS1000 Appliance, a widely-recognized security platform for rapid deployment of security management solutions at dozens of Fortune 100 clients, and helped create a patent-pending methodology for digital threat intelligence correlation. More recently, Steven has been involved in product integration services, customizing vulnerability assessment products to interface with back-end enterprise systems at the largest ISP in the world. Steven has nine years of experience managing high-availability networks in the Entertainment, Health Care, Financial, and Higher Education industries, and is frequently invited to speak on secure architecture best practices.

Steven has earned the Certified Information Systems Security Professional (CISSP) designation, as well as the Information System Security Architecture Professional (ISSAP) and Management Professional (ISSMP) accreditations. Vendor-specific certifications include the Cisco Certified Network Professional (CCNP), Microsoft Certified Systems Engineer (MCSE), Cisco Certified Security Professional (CCSP), and Checkpoint Certified Security Engineer (CCSE). Steven was awarded the INFOSEC Professional designation, jointly-issued by the U.S. National Security Agency (NSA) and the Committee on National Security Systems (CNSS). Additionally, the Information Assurance Technology Analysis Center (IATAC), chartered by the U.S. Department of Defense Technical Information Center (DTIC) in Directive 3200.12, lists Steven as one of their subject-matter experts in the field of Information Security, and has called upon him to assist in classified STI projects for various agencies. Steven earned a Bachelor’s degree from the University of California, Los Angeles (UCLA) and enjoys living in the comfort of a climate-controlled, biometrically-secured data center, with clean DC power and limitless bandwidth.

Full bios for Chip, Erik and Steve can be found here: http://www.sopssec.com/company/founders.php

Gunter Ollmann
Professional Services Director, NGS Software Ltd.

Gunter Ollmann has over 10 years hands-on experience developing and managing secure systems, and over 5 years experience in providing cutting-edge security consultancy advice from an 'attack' perspective. At NGS he is responsible for the design and delivery of world-leading professional security services, ensuing his clients receive the best security advice backed by NGS's "best in the world" research team, bug hunters, and penetration testers. Formerly the manager of ISS' X-Force Security Assessment Services throughout Europe, the Middle East and Africa, he was responsible for the delivery of all 'attack' based service offerings to many of the worlds top organisations.

With a long history in software development and networking dating to pre-Internet and BBS days, he has learnt the hard way just what it takes to design and build secure systems, and how to apply security to real business environments. His specialities include secure web application & architecture design, penetration testing and operational security management. This experience combined with his security research has led Gunter to develop numerous authoritative security whitepapers. As a regular contributor to various security magazines, including SC Magazine, he is a frequent presenter at well known security conferences.

Chris Paget
Security Consultant and Researcher, NGS Software Ltd.

Chris Paget is a security consultant and researcher for NGS Software, based in London. Chris has almost 20 years of experience in programming and security auditing, specializing in Win32 and Internet systems. He has performed audits for many of the largest banks and high-tech companies in the world, and has several years of experience teaching system administrators how to break into their own networks.