What to Bring:

Students must bring a laptop with an OS (any kind) that can run VMWare. The machine should have a minimum of 4 GB free disk space and at least 1 GB RAM (if Vista, please have 2GB). To be able to connect to servers, you would need wireless network card (802.11b/g) or wired network (please bring cable). DVD reader on laptop (good to have)

Prerequisites:

This course explores technical details of various application-layer vulnerabilities. Students should have knowledge of basic web application security, as well as basic programming knowledge (having Java specific programming experience is very helpful).

Not sure if you meet the prerequisites? Take a short quiz to determine if this training is right for you.

Would like a refresher for the prerequisites before taking the course? We have made available a few resources that we think you will find useful.

Materials Provided:

Linux VMImage with Java Development/Code Review Environment
DVD with image of VMImage
Printed books of content covered

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3 & August 4-5

Source Code Review – J2EE

Security Compass

Overview

Source code review is a highly effective method of detecting vulnerabilities in software. This course aims to arm security analysts and J2EE software developers interested in creating secure software with the skill-set to manually identify insecure code through analysis. This process requires a more in-depth understanding of application security, and thus this class provides a deeper drive along with hands-on analysis.

Lerarning Objectives

Students who take this course will be able to:

Understand major application security vulnerabilities
Identify those areas in source code that are of particular concern to security
Walk through a real application and perform a manual source code review
Learn various source code review methodologies and approaches
Walk away with practical guidelines of what to look for when performing source code review
Be able to articulate the advantages and disadvantages of manual and automated source code review

Who Should Attend

The intended audience for this course is:

Information security analysts
Software security testers and code reviewers
Designated security experts
Architects with a desire to understand more about security

Prerequisites

This course explores technical details of various application-layer vulnerabilities. Students should have knowledge of basic web application security, as well as basic programming knowledge (having Java specific programming experience is very helpful).

Not sure if you meet the prerequisites? Take a short quiz to determine if this training is right for you.

Would like a refresher for the prerequisites before taking the course? We have made available a few resources that we think you will find useful.

Course Syllabus

Part 1: Introduction

Introduction to the Application
Understanding of business case
Establishing review objectives

Part 2: Source Code Review Approaches

Point-of-entry approach
Relevant-component approach
Keyword approach
Framework level Threat Analysis

Part 3: Authentication

Overview
Review authentication
Realms, users, groups, and roles
Common authentication vulnerabilities

Part 4: Authorization

Overview
Access control: page, functional and data levels
Common authorization vulnerabilities

Part 5: Session Management

Container managed sessions
Session management vulnerabilities

Part 6: Input Validation

Identifying SQL injection in code
Identifying XSS in code
Identifying CSRF in code
Identifying XML vulnerabilities in code

Trainer:

Rohit Sethi joined Security Compass as its second full-time employee. Leveraging a combined background in information security and software engineering, Rohit is recognized internationally as an expert in the emerging field of application security. In his role as manager at Security Compass, Rohit is responsible for managing Security Compass’s internationally renowned consultants on cutting edge consulting and training engagements across North America and around the world. He is leading development and instruction of the SANS Institute class Secure Coding in Java.

Rohit has provided security consulting and training services to primarily Fortune 1000 clients in the financial services, healthcare, utilities, telecommunications, media, and software industries. He has led and delivered engagements for a variety of service offerings, including application security architecture, design, and code reviews; threat analysis; penetration testing; application security program enhancement; vendor security assessments; identity management strategy; customer data privacy assessment; security governance strategy; threat risk assessments; SOX, BS7799 and PCI audit and remediation; and segregation of duties analysis and remediation. Rohit has also developed and taught courses for a wide variety of topics, including web application security exploiting, secure coding in J2EE, exploiting web applications, application security awareness, application security for managers, and general information security awareness. Prior to joining Security Compass, Rohit Sethi was a security consultant at Deloitte and a developer/business analyst at Automatic Data Processing (ADP).

Rohit is a noted expert in application security and has delivered / will be delivering talks or training sessions at RSA conference in San Francisco; CSI National in Washington DC; CSI SX in Las Vegas; SANS conferences in Toronto, Orlando, and Washington DC; Shmoocon in Washington DC; SecTor in Toronto; Infosecurity Toronto and New York; ISC2’s Secure Leadership series in Toronto and Calgary; and TASK and Federation of Security Professionals in Toronto.

Rohit has written articles on Aspect Oriented Programming and Security, Application Classification, and Centralized Logging for the prestigious Web Application Security Consortium and industry-recognized leading security portal Security Focus. He has been interviewed and quoted by Computer World and IT World Canada.

Rohit holds an Honors Bachelor of Science in Computer Science with Software Engineering Specialization from the University of Western Ontario in Canada. He is a Certified Information Systems Security Professional (CISSP) and a Sun Certified Java Programmer.

Dan Sinclair is a Security Consultant with a strong background in application development. He has over seven years of experience in application design and development.

Prior to joining Security Compass, Dan worked as a solutions architect, web developer, and, most recently, as a Solaris 10 migration specialist and instructor for TrekLogic Advanced Solutions. He also helped develop and teach “Solaris 10: An introduction to DTrace, SMF, ZFS and Zones” for Sun Microsystems.

Dan is a contributor to several Open Source projects including the Enlightenment project and OpenSolaris where his work has included design, development, testing and documentation. He serves as a lead developer for the Enlightened Widget Library (Ewl).

Dan has a Bachelors of Mathematics in Honors Computer Science from the University of Waterloo.

Early: Ends May 1	Regular: Ends July 1	Late: Ends July 31	Onsite: August 1
USD 1800	USD 2000	USD 2200	USD 2500