SANS WhatWorks in Web Application Security Summit 2008

Lessons from the Pioneers: Finding and Eliminating Security Flaws in Web and other Applications
with Jeremiah Grossman

Dates:

Pre-Summit Courses: May 31 - June 1

Summit: June 2-3

Post-Summit Courses: June 4-9

Summit Venue:

Paris Hotel
3655 Las Vegas Blvd So.
Las Vegas, Nevada 89109
Phone: 877-603-4386
Website: http://www.harrahs.com/casinos/paris-las-vegas/

Multi-Summit Pass

Add on the Multi-Summit Pass Feature to your Application Security Summit registration and get the benefit of two great Summits. You will be able to move between both Summits and choose the talks and panels that will bring the greatest benefit to you and your company.

Learn more about the SANS WhatWorks in Penetration Testing & Ethical Hacking Summit.

Table of Contents

• Summit Overview
• What You Will Learn
• Who Should Attend and Why
• Register Today
• Summit Agenda
• Pre and Post Summit Courses

Summit Overview: Questions To Be Answered

1. What are the primary attack vectors criminals are using to compromise applications and which programming errors account for the vast majority of those attacks?
2. What new attacks will do the most damage during 2008 and 2009?
3. Which application security tools work best and what kind of challenges have users found in implementing them?
4. What is the most effective way to meet the PCI requirement for application security?
5. How can you gain confidence in the security of outsourced application development and how do you verify the skills of the outsourced programmers?
6. How do you embed application security testing into the outsourcer's process?
7. How do you ensure the outsourcer has adequate but tightly limited access to your own networks?
8. What are the essentials of a comprehensive website security program?
9. What are the most prevalent website vulnerabilities?
10. What do the hackers hack, how, and what is the end result?
11. What strategies work best to identify application vulnerabilities?
12. How can you gauge the strengths and weaknesses of your development team?
13. How will application security and application development environments evolve over time?
14. When will colleges ensure their computer sciences and information technology graduates know secure coding techniques?

What Will You Learn at the Web Application Security Summit?

1. The essentials of a comprehensive Web site security program and how to secure an insecure Web site.
2. The most current info on Web hacking techniques and how you can guard against them.
3. What the most prevalent Web vulnerabilities are and how hackers take advantage of them to hack into your Web site.
4. Unique procurement practices that will help you manage your application security outsourcing and improve application security.
5. The confessions of a professional Web app hacker.
6. What your peers are doing to secure their Web applications and what the best practices are in application security.
7. What tools are available and how do they compare? Which tools should you have in your security toolbox to ensure your applications are locked up tight.

Who Should Attend?

• Application security managers and their teams who want to ensure their Webapplications are secure
• CIOs and CTOs who need to understand the myriad legal and PCI issues around Web apps
• Web security consultants needing to be aware of the latest issues in the secure apps area
• Development managers who want to be able to help their coders develop secure code
• Software architects and developers tasked with building secure apps from the ground up
• PCI or other compliance auditors
• Test/QA professionals wanted to understand and be aware of the latest tools available
• PCI project managers

Why attend? Coming to the Summit will save you months of time in product evaluation, project planning, and just avoiding errors other companies have made. There's no better way to find out what others have tried and what works.

Pre and Post Summit Courses

Register for these in-depth SANS secure programming courses both preceding and following the Summit and really get the most out of your training budget.

Tactical Exploitation Training

You 'might' find another course that covers the tactics of exploitation. But you will rarely have the opportunity to learn the secrets of tactical exploitation directly from the industry giants. The instructors for this course are legends in information security - HD Moore, founder of the Metasploit Project and one of the core developers of the Metasploit Framework and Valsmith, founder of Offensive Computing, a public, open source malware research project.

Secure Web Services for Managers

SP 800-95 gives solid architectural guidance, it is a break through document, but the content is beyond the reach of most managers. When we read terms like SOA, SOAP, TLS, XML, XACML, UDDI, WSDL our eyes glaze over even though we know this is really important material. SANS wants to help. For this inaugural event, we have enlisted one of SANS top instructors, Dr. Eric Cole, a fellow of the SANS faculty to break it down for you step by step. By the end of the class you will understand secure web services and will be ready to ask your web team the right questions and give the right guidance. There are no prerequisites, some basic IT and IT Security previous knowledge is assumed. However, there is read ahead material for students that do not have an IT background and we highly recommend that look that material over before attending.

Network Penetration Testing and Ethical Hacking

Security vulnerabilities such as weak configurations, unpatched systems, and botched architectures continue to plague organizations. Enterprises need people who can find these flaws in a professional manner to help eradicate them from our infrastructures. Lots of people claim to have penetration testing, ethical hacking, and security assessment skills, but precious few can apply these skills in a methodical regimen of professional testing to help make an organization more secure. This class covers the ingredients for successful network penetration testing to help attendees improve their enterprise's security stance.

Hacker Techniques, Exploits & Incident Handling

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

Advanced Web Application Penetration Testing

Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited web sites altered by attackers. In this intermediate-to-advanced class, you'll learn the art of exploiting web applications so you can find flaws in your enterprise's web apps before the bad guys do.

Web Application Security Workshop

How do you protect your Web applications? Our Web application security workshop is a 2-day hands-on, action packed course covering the common vulnerabilities that are leveraged by attackers, the principles of securing Web applications, and general defense techniques to protect against future attacks. This course will help you understand the mechanics of the components necessary for effective Web application security which will then enable you to properly defend your organization's assets.

Web Application Penetration Testing Fundamentals

Successful attacks against websites using application level flaws are very common nowadays. Would you want hackers to be the first to test the security posture of your critical web applications? If you don't, security testing for web application during and after development is absolutely necessary. This two day course starts off with a discussion on software security testing and how it fits into the development lifecycle. We will discuss testing methodologies that are sensible and practical, so you can apply these testing concepts to any of your web applications.

Defensive Programming and Secure Design

This two-day course provides developers a strong foundation in software security as it relates to the implementation of applications. Designed with detailed examples and exercises, this class focuses on the right way for developers to think through security problems. It does this with a combination of structured theory, animated demonstrations, technical deep-dives, and illustrated explanations. It connects the habit of "building security in" through proven programming practices and explains common security-related problems in detail so that software engineers can avoid them in their own work.

Software Security Awareness

This awareness course discusses design and implementation of software applications to reduce the risk from hackers and attacks. The concept is to engineer software so that it continues to function correctly under malicious attack. This course introduces defensive coding and tips to avoid creating problems or vulnerabilities. We also examine the most common flaws of software design and implementation, and you will learn about specific practices to avoid those flaws.

The National Secure Coding Assessment for Programmers

Invite your programmers to take the new GIAC Certified Secure Programmer examination on May 30. For more data on the certifications and exams, see GIAC Secure Software Programmer Certification Exam

How Good Are SANS Summits?

Here's more from people who attended the last Summit:

• Great Summit! It gave the Who, the What, the Hows and the Nots from real-life experiences. - Rolo Guzman, Hess
• This Summit provides an excellent means to stay informed on what is available today; and what the current and emerging issues are. - Yong Choe, SAIC
• Excellent presentations of practical experiences. - Rich Lansing, Bloomberg