Teaching Methods:

This is a lecture and demo based class only. There is an optional 10-15% hands on component by choice of attendees. Exercises are less technically detailed than other classes and aim to illustrate the ease of attacks rather than the specifics of how they can be executed.

Materials Provided:

Printed books of content covered

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3 & August 4-5

Application Security - an Enterprise Approach

Security Compass

Overview

Most of the current effort in Application Security is directed towards securing applications after deployment to production. In an ideal environment however, security is at the forefront of daily operations, saving an organization time and money. This course aims to make this a reality by teaching executives and information security managers their important role in Application Security, giving them a general understanding of the threat landscape, and outlining the controls they may use to start or enhance their current Application Security Program. A major case study and various hands-on components are used to guide students in understanding their role and how they can improve their organization’s overall security posture.

Lerarning Objectives

Students who take this course will be able to:

Understand the threat landscape in application security
Acquire the toolset required for securing and assessing their applications
Learn aspects of Secure SDLC
Be able to articulate a plan to start an Application Security Program
Learn metrics to aid in assessing organization’s application security posture
Be able to confidently promote application security throughout the organization

Who Should Attend

CISO’s and CSO’s
Information security managers
Designated security experts
Anyone with a desire to understand an enterprise approach to application security

Course Syllabus

Part 1: Application Security Basics

Introduction to Application Security
Ethical and unethical Issues

Part 2: Application Security – The Threat Landscape

Attack vectors
Authentication, authorization, and session management
Input validation
Cryptography, Error handling, other concepts

Part 3: Application Security - Architecture & Security Principles

Application design principles/li>
Application components
Application architecture
Principles of security (The Good)
Principles of security (The Bad)

Part 4: Secure SDLC

Security fundamentals: confidentiality, integrity, and availability
Data classification
Secure requirements
Secure architecture

Part 5: Factors in developing an Application Security Program

Policies, procedures, baselines and guidelines
Key players in application security
Training and awareness
Threat analysis
Audits and penetration testing
Risk analysis
ROI and Application Security.

Trainer:

Nish Bhalla a quoted expert and a well published author is a veteran in the information security field. Having over a decades’ combined experience as a developer and network security administrator, Nish has a in-depth understanding of security issues. As the founder of Security Compass Nish, a technocrat at heart, not only manages and gives direction to the company but also is actively involved in research on various attack vectors.

Nish Bhalla is a frequent speaker on emerging security issues. He has spoke at reputed Security Conferences such as at “BlackHat Europe”, "Reverse Engineering Conference", "HackInTheBox", “Shmoocon”, “CSI” and "ISC2's Infosec Conference". He also has created and taught the Exploiting & Defending Classes for Security Compass.

Prior to joining Security Compass, Nish was a Principal Consultant at Foundstone, where he performed numerous security reviews (Web Application / Code / Policy ) for major software companies, online banking and trading & e-commerce sites. He also helped develop and teach the "Secure Coding" class, the Ultimate xHacking, Ultimate Web Hacking and Ultimate Hacking Expert classes. Prior to working at Foundstone, Nish provided engineering and security consulting services as an independent consultant to a variety of organizations including Sun Microsystems, Lucent Technologies, TD Waterhouse & The Axa Group.

Nish is a noted expert in application security and has delivered many talks and training sessions. He is scheduled to speak at RSA, CSI and other conferences during 2008.

Nish has been interviewed by, and quoted in, many publications including CSO Online and Government News. He has written articles and been published in security portals like Security Focus and hackin9. Nish has also co-authored and contributed to many books including Hacking Exposed Web Applications (2nd Edition), Buffer Overflow Attacks: Detect, Exploit & Prevent, Windows XP Professional Security, HackNotes: Network Security and Writing Security Tools and Exploits. Nish has also been involved in the open source projects such as YASSP and OWASP, and is the chair of the Toronto Chapter.

Nish holds his Masters in Parallel Processing from Sheffield University, is a postgraduate in Finance from Strathclyde University and a Bachelor in Commerce from Bangalore University.

Oliver Lavery brings a decade of experience in security software development and consulting to the Security Compass team. As an experienced software architect Oliver has an extensive understanding of software development and design issues, as well as the practical realities of building security into the software development life-cycle. At the same time, as a renowned security researcher Oliver has a deep understanding of application and network security issues. This dual background brings a unique insight to bear on Security Compass’ projects.

Prior to joining Security Compass, Oliver Lavery was engaged as Chief Scientist at PivX Solutions inc. where he was responsible for overseeing the design and development of an award winning Intrusion Prevention System product line, in-depth vulnerability analysis as part of a cutting-edge research team, and provided consulting services to international corporations.

In the past Oliver has worked with internationally recognized cryptographers on privacy issues as part of Zero Knowledge systems Inc, has provided consulting and development services for clients including MCI, Unilever, Rational Software, and Sun Microsystems, and has participated in bringing a variety of commercial software applications from conception to release. As a security consultant he has been engaged on a variety of projects focusing on network and application penetration testing, reverse-engineering, security code review, vulnerability analysis, forensics, and design oversight of secure systems.

Oliver is a noted expert in information security and has published ground-breaking vulnerabilities in Microsoft Windows, Internet Explorer, and well known applications running on the Windows platform. Most notably a paper authored by Oliver reintroduced a class of vulnerabilities in Windows that resulted in a slew of patches from Microsoft and major software vendors.

Oliver has spoken at Austin GameCon on security issues in massively multiplayer online games along with senior executives from Sony Online Entertainment, Electronic Arts, and Ubisoft. He has also spoken for ZDNet on the security improvements in Windows XP SP2, and interviews with Oliver have run on CNET and its international affiliates, Slate Magazine, major US radio stations, and numerous minor publications.

Security software designed by Oliver has been endorsed by Microsoft, won awards from Secure Computing magazine and Datamation, and was acknowledged with an award of excellence from the AeA (American Electronics Association).

Early: Ends May 1	Regular: Ends July 1	Late: Ends July 31	Onsite: August 1
USD 2000	USD 2200	USD 2400	USD 2700