The most trusted source for computer security training, certification and research.

select a course
San Diego, CA - March 29 - April 6, 2007
Global Information Assurance Certification

This is the best group of instructors I've ever been exposed to.
-Mark Jeanmougin, 53.com

SECURITY

Securing Critical Web Applications and Web Services - Hands On

Monday, April 2, 2007 - Thursday, April 5, 2007 : 9am - 5pm
Dave Wichers, Aspect Security
6 CPE Credits Per Day
A Uniquely Effective Course.

Most developers learn what they know about security on the job, usually by making mistakes. Sadly, that's not working. SANS most recent data show that hackers have turned their attention away from operating system and network flaws to Web applica- tions as their target of choice. Developers who once could rely on application obscurity are now targeted by criminals who use their programming errors to make millions of dollars in illicit gains and bring shame and ridicule to the victim organizations.

SANS has found the one course in the country that has been successful in teaching application devel- opers the most common application security prob- lems and how to avoid them. This course covers the traditional Web Application Security issues including the OWASP Top Ten, plus up and coming popular Web technologies like Web Services, XML, and AJAX, all of which introduce significant additional security issues that are frequently not addressed properly. The course also provides a forum for developers to discuss security issues specific to their application and to establish basic security ground rules that will last throughout a project's life cycle. It easily pays for itself with the first security penetration avoided.

This course has been taught well over one hundred times, including dozens of offerings to several of the most security-minded defense contractors in the country. With its hands on testing labs, code review scenarios, and group exercises, it works. It is packed with hard-hitting examples and demonstrations of flaws uncovered in real-world code review and ap- plication penetration testing efforts.

The course starts with a module that demonstrates just how insecure most Web applications are. It demonstrates how hackers are able to attack Web applications, and what common vulnerabilities they exploit. The next modules detail specific security areas, discuss the foundational principles and best practices, and review code examples of design patterns for solutions.

To cement the principles from the course, students attack a live Web application that has been seeded with loads of common vulnerabilities. This Web application includes a number of exercises where students will experiment with real attack techniques. Students get to use commonly available application security testing tools such as the OWASP WebScarab pen test proxy to learn how attackers actually find and exploit these vulnerabilities. This hands-on session finishes with an exciting online challenge. The students race to penetrate a three- stage challenge where they must compromise an authentication scheme, break into a database to steal credit card numbers, and then successfully deface the Web site in order to win.

  • Who Should Attend
    • Software and Web application developers
    • Software, QA, and security testers
    • System and security administrators
    • Security engineers
  • A Sampling of Topics
    • Authentication
    • Session management
    • Access control
    • Parameter use
    • Cross site scripting
    • Cross site request forgery
    • Buffer overflows
    • Input validation
    • Command injection
    • SQL injection
    • Using databases securely
    • Error handling
    • Cryptography
    • XML security
    • Using services securely
    • Web services security
    • AJAX Security
    • Unnecessary and malicious code
    • Thread safety
    • Denial of service
    • Privacy and legislative compliance
    • Accountability and logging
    • Integrity
    • Caching, pooling, and reuse
    • Code quality
    • and more...

Wow! It's an incident handler's Christmas morning, tools, tools, tools. Very Applicable!
-Todd Davis, Symantec