Can you answer these questions?
• Are your web applications secure?
• Do you know how to lock down new web applications when they are placed into production?
• Do you know if/when attackers are trying to break into your site and steal data or cause other harm?
• Do you know if/when attackers are attacking other web application users?
If you can not confidently answer yes to all of these questions then this is the class for you! This expanded 4-day bootcamp is based on the popular book "Web Application Defender's Cookbook: Battling Hackers and Protecting Users" written by the class trainer Ryan Barnett. Copies of the book will be provided to all participants and will be used as the basis for the courseware material. The class is tailored for web application defenders (operational security personnel) who are charged with protecting live web applications. The training will provide answers to these questions and increase your ability to identify and thwart malicious activities within your web applications.
You will learn the following skills:
• Implement full HTTP auditing for incident response
• Utilize virtual patching processes to remediate identified vulnerabiities
• Deploy web tripwires (honeytraps) to identify malicious users
• Detect when users are acting abnormally
• Analyze uploaded files and web content for malware
• Recognize when web applications leak sensitive user or technical data
• Respond to attacks with varying levels of force
• Operational Security Staff
• Network Security Personnel
• Web Server Administrators
• Information Security Officers
• Penetration Testers
• Web Application Developers
Students will gain the most benefit if they have the following skillset:
• Understand the HTTP Protocol
• Perl Compatible Regular Expressions (PCRE)
• ModSecurity open source web application firewall (WAF)
• Apache web server administration
• Unix OS commands and file editing
Each student will need to bring their own laptop with VMware workstation installed. For hands-on lab exercises, we will utilize the OWASP Broken Web Applications VM project as it already has many vulnerable target web applications. OWASP BWA also includes the cross-platform (Apache, IIS and Nginx), open source ModSecurity Web Application Firewall (WAF) and OWASP ModSecurity Core Rule Set (CRS) which is the tool that we will be using for our labs exercises to implement our defenses. Students should ensure that they are able to use SSH to log into the OWASP BWA VM from their base OS and also ensure that networking allows for outbound Internet access as students will need to access external websites.
Each student will receive a hard copy of the "Web Application Defender's Cookbook: Battling Hackers and Defending Users book by Wiley Publishing" as this is used as a reference manual through the class and labs. Students will be provided access to the collaborative LAB site hosted on Mozilla's Etherpad site. This allows for real-time, collaborative work which expedites hands-on labs by allowing copy/paste usage for OS commands. Students are able to download copies of the LAB workbook to work offline or to print hard copies on their own.
Ryan C. Barnett is renowned in the web application security industry for his unique expertise. After a decade of experience defending government and commercial websites, Ryan joined Trustwave SpiderLabs Research Team. He specializes in application defense research and leads the open source ModSecurity web application firewall project.
In addition to his commercial work at Trustwave, Ryan is also an active contributor to many community-based security projects. He serves as the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set project leader and contributor on the OWASP Top Ten and AppSensor projects. He is a Web Application Security Consortium Board Member and leads the Web Hacking Incident Database and the Distributed Web Honeypot projects. At the SANS Institute, he is a certified instructor and contributor on the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors projects.
Ryan is regularly consulted by news outlets who are seeking his insights and analysis on emerging web application attacks, trends and defensive techniques. Ryan is a frequent speaker and trainer at key industry events including Black Hat, SANS AppSec Summit and OWASP AppSecUSA.
Ryan has authored two web security books with titles such as: "Preventing Web Attacks with Apache" from Pearson Publishing and the forthcoming "Web Application Defender's Cookbook: Battling Hackers and Protecting Users" from Wiley Brothers Publishing.