SECURITY

Writing Secure Web Applications: Developer Training

A Uniquely Effective Course

Most developers learn what they know about security on the job, usually by making mistakes. Sadly, that's not working. SANS most recent data show that hackers have turned their attention away from operating system and network flaws to web applications as their target of choice. Developers who once could rely on application obscurity are now targeted by criminals who use their programming errors to make millions of dollars in illicit gains and bring shame and ridicule to the victim organizations.

SANS has found the one course in the country that has been successful in teaching application developers the most common application security problems and how to avoid them. This course easily pays for itself with the first security penetration avoided. It also provides a forum for developers to discuss security issues specific to their application, and that allows basic security ground rules to get established that last throughout a project's lifecycle.

This course has been taught in several of the most security minded defense contractors in the country. It works. It is packed with hard-hitting examples and demonstrations of flaws uncovered in real-world code review and penetration testing.

The course starts with a module that demonstrates just how insecure most web applications are. It demonstrates how hackers are able to attack web applications, and what common vulnerabilities they use. The next modules detail specific security areas, discussing the foundational principles and best practices, and review code examples of design patterns for solutions. The course covers the following areas:

• Authentication
• Access Control
• Parameter Use
• Cross Site Scripting
• Buffer Overflows
• Command Injection
• Error Handling
• Cryptography
• System Administration
• Server Configuration
• Unnecessary and Malicious Code
• Thread Safety
• Denial of Service
• Privacy and Legislative Compliance
• Accountability and Logging
• Integrity
• Caching, Pooling, and Reuse
• Code Quality
• and more...

In each area, the course covers:

• Theoretical foundations
• Common pitfalls when implementing
• Details on historical exploits
• Suggested security policies
• Best practices for implementation
• Pseudo code examples

To cement the principles from the course, students can attack a live web application that has been seeded with loads of common vulnerabilities. The web application includes a number of exercises where students will experiment with real attack techniques. This hands-on session finishes with an exciting on-line challenge. Developers race to penetrate a three-stage challenge where they must compromise an authentication scheme, break into a database to steal credit-card numbers, and then successfully deface the web site in order to win.

The information presented is priceless!
-Nehal Parmar, North Fork Bank