RSS feed logo header graphic

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3 & August 4-5

Building and Testing Secure Web Applications

Aspect Security

registration button





Overview

Training developers and software testers in application security offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building and Testing Secure Web Applications training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced application security practitioner and is delivered in a very interactive manner.

This class includes hands-on exercises where the students get to perform security analysis and testing on a live web application. This specially designed environment includes deliberate flaws the students have to find and diagnose. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.

Learning Objectives:

At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure applications and understand why this is important.

  • HTTP Fundamentals: Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)
  • Design Principles and Patterns: Understand and be able to apply application security design principles.
  • Threats: Be able to identify and explain common web application security threats (e.g. cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.
  • Authentication and Session Management: Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.
  • Access Control: Be able to implement access control rules for the user interface, business logic, and data layers.
  • Cross-Site Request Forgery (CSRF): Learn how CSRF attacks can be used to defeat your access control mechanism and how to implement defenses that can protect your entire web application from such attacks.
  • Input Validation: Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.
  • Command Injection: Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.
  • Error Handling: Be able to implement a consistent error (exception) handling and logging approach for an entire web application.
  • Cryptography: Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.
  • Auditing and Logging: Be able to select and implement appropriate auditing/logging capabilities.
  • Denial of Service: Understand the variety of denial of service attacks and the techniques that can be employed to reduce the likelihood of a successful denial of service attack.
  • Verification: Be able to review their applications for common security vulnerabilities using code review and penetration testing techniques.
  • Web Services: Understand the factors involved in securing a Web Services capability.

Who Should Attend?

  • Software developers in any web environment
  • Software testers
  • Security specialists
  • Application architects

Trainer:

Aspect Security has been working with development teams around the country for years to help them identify, diagnose, and address security issues throughout the application development lifecycle. Through these efforts, they have learned the key practices that development and project managers, and key support personnel must know to achieve secure applications.

Aspect’s instructors are full-time application security specialists that spend the majority of their time working with clients to secure the nation’s most critical applications. Leveraging this practical experience brings the class to life. Students will gain valuable insight into lessons learned from other development organizations. Our instructors also make themselves available to you for application security questions after the course is complete. Aspect is a Founding OWASP Member and supports several OWASP projects. In particular, Aspect conceived the OWASP Top Ten project and led the effort to build the document. We also built WebGoat and Stinger and donated them to the OWASP effort. Aspect personnel assist with the management of the OWASP Foundation and help run the OWASP AppSec conference series.

registration button




Early:
Ends May 1

Regular:
Ends July 1

Late:
Ends July 31

 Onsite:
Begins August 1

$1800 USD

$2000 USD

$2200 USD

 $2500 USD
1997-2009 Black Hat ™