SECURITY

Securing Critical Web Applications and Web Services - Hands On

Monday, October 2, 2006 - Wednesday, October 4, 2006 : 9am - 5pm
Dave Wichers, Aspect Security
6 CPE Credits Per Day

Laptop RequiredFree

A Uniquely Effective Course

Most developers learn what they know about security on the job, usually by making mistakes. Sadly, that's not working. SANS most recent data show that hackers have turned their attention away from operating system and network flaws to web applications as their target of choice. Developers who once could rely on application obscurity are now targeted by criminals who use their programming errors to make millions of dollars in illicit gains and bring shame and ridicule to the victim organizations.

SANS has found the one course in the country that has been successful in teaching application developers and auditors the most common application security problems and how to find and avoid them. This course easily pays for itself with the first security penetration avoided. It also provides a forum for students to discuss security issues specific to their application, and that allows basic security ground rules to get established that last throughout a project's lifecycle.

This course has been taught over one hundred times, including multiple offerings to several of the most security minded defense contractors in the country. It works. It is packed with hard-hitting examples and demonstrations of flaws uncovered in real-world code review and application penetration testing efforts.

The course starts with a module that demonstrates just how insecure most web applications are. It demonstrates how hackers are able to attack web applications, and what common vulnerabilities they use. The next modules detail specific security areas, discussing the foundational principles and best practices, and review code examples of design patterns for solutions. The course includes the following areas:

• Authentication
• Session Management
• Access Control
• Parameter Use
• Cross Site Scripting
• Buffer Overflows
• Input Validation
• Command Injection
• SQL Injection
• Using Databases Securely
• Error Handling
• Cryptography
• XML Security
• Using Services Securely
• Web Services Security
• Unnecessary and Malicious Code
• Thread Safety
• Denial of Service
• Privacy and Legislative Compliance
• Accountability and Logging
• Integrity
• Caching, Pooling, and Reuse
• Code Quality
• and more...

In each area, the course covers:

• Theoretical foundations
• Common pitfalls when implementing
• Details on historical exploits
• Suggested security policies
• Best practices for implementation
• Pseudo code examples

To cement the principles from the course, students can attack a live web application that has been seeded with loads of common vulnerabilities. The web application includes a number of exercises where students will experiment with real attack techniques. This hands-on session finishes with an exciting on-line challenge. Developers race to penetrate a three-stage challenge where they must compromise an authentication scheme, break into a database to steal credit-card numbers, and then successfully deface the web site in order to win.

The SANS Security Windows track was the best training course I've ever had, far surpassing my already high expectations. Seriously!
-Derek Lidbom, Trone