One Day Left! Get an iPad, Tab A, or $250 Off with your OnDemand registration

Cyber Defense Initiative® 2015

Washington, DC | Sat, Dec 12 - Sat, Dec 19, 2015
This event is over,
but there are more training opportunities.
 

Building a Web Application Vulnerability Management Program

  • Jason Pubal - Master's Degree Candidate
  • Thursday, December 17th, 7:15pm - 8:15pm

For years, attackers have assailed network and system level vulnerabilities, fueling demand for products like firewalls and network vulnerability scanners. As these products mature and IT security teams learn to better handle network security, the industry is seeing a visible increase in attacks moving up the stack to target application-level vulnerabilities.

Mature application security programs perform security testing against web applications during development but tend to be reactive to security defects once an application has been deployed. Web applications that are being used in a production environment are not typically subject to recurring security tests. There is fear of causing an impact to functionality and a notion that as long as the codebase has not changed it is impossible to find new security vulnerabilities in an application that was thoroughly tested prior to being deployed. Any vulnerability not found during this initial testing is only known about and addressed after an incident has occurred. Meanwhile, infrastructure vulnerability management performs recurring vulnerability scanning against production networks and servers as the web applications hosted on them are ignored.

As threats evolve and new attack vectors are discovered, applications need to be tested to see how they are affected. Application vulnerability management needs the same rigor infrastructure vulnerability management has; web application vulnerability assessments need to be continuous. The web application vulnerability management framework presented in this presentation is the next step in application security. This framework introduces a methodology, processes, and activities to achieve that goal.

Bio: Jason is a Director of information security leading web application security and penetration testing teams at a large financial services company. In his decade in information security, he has worked in various industries, done a little of everything security, and picked up a couple certifications along the way. With a development background, he has focused his efforts in the last few years on application security. A snowboarder, homebrewer, and hacker - Jason is happy to talk about application security, or your last good beer.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Vendor: Events hosted by external vendor exhibitors.
  • Lunch & Learn: Short presentations given during the lunch break.
  • Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Sunday, December 13
Session Speaker Time Type
Registration Welcome Reception Sunday, December 13th, 5:00pm - 7:00pm Reception
Securing The Kids Lance Spitzner Sunday, December 13th, 6:00pm - 7:00pm SANS@Night
Monday, December 14
Session Speaker Time Type
General Session - Welcome to SANS Bryce Galbraith- Renaissance Washington, DC Downtown Hotel Monday, December 14th, 8:15am - 8:45am Special Events
General Session - Welcome to SANS Jason Fossen-Grand Hyatt Washington Monday, December 14th, 8:15am - 8:45am Special Events
Busting The Rebel Scum - QRadar and Box Peter Szczepankiewicz. SANS Certified Instructor and IBM Product Manager and Sonny Hashmi, Managing Director, Box Monday, December 14th, 12:30pm - 1:15pm Lunch and Learn
Mike Assante talks on ICS Security Case Studies Mike Assante Monday, December 14th, 6:30pm - 8:00pm Special Events
What's New for Security in Windows 10 and Server 2016? Jason Fossen Monday, December 14th, 7:15pm - 9:15pm Keynote
Tuesday, December 15
Session Speaker Time Type
Defining Your First Line of Defense Tom Byrnes, Founder and CEO Tuesday, December 15th, 12:30pm - 1:15pm Lunch and Learn
Launch, Detect, Evolve: The Mutation of Malware Andres Ortiz, Malware Intelligence Analyst Tuesday, December 15th, 12:30pm - 1:15pm Lunch and Learn
An Architecture for Continuous Monitoring and Mitigation Matt Hartley, Director - Federal Civilian Agencies & Systems Integrators and Ellen Sundra, CISSP - Director of Systems Engineering - DOD, Forescout Technologies Tuesday, December 15th, 12:30pm - 1:15pm Lunch and Learn
Think Like an Attacker: What You Must Know About Targeted Attack Techniques Michael Mumcuoglu, Co-Founder, and Chief Technology Officer Tuesday, December 15th, 12:30pm - 1:15pm Lunch and Learn
Women's CONNECT Event in partnership with ISSA International Women In Security Special Interest Group (WIS SIG) Tuesday, December 15th, 5:00pm - 7:00pm Special Events
Offensive Countermeasures, Active Defenses, and Internet Tough Guys John Strand Tuesday, December 15th, 7:15pm - 8:15pm SANS@Night
The Crazy New World of Cyber Investigations: Law, Ethics and Evidence Benjamin Wright Tuesday, December 15th, 7:15pm - 8:15pm SANS@Night
Automating Post-Exploitation with PowerShell James Tarala Tuesday, December 15th, 7:15pm - 8:15pm SANS@Night
The Effectiveness of Microsoft's EMET Stephen Sims Tuesday, December 15th, 8:15pm - 9:15pm SANS@Night
How to bring some Advanced Persistent Trickery to your fight against Advanced Persistent Threats... Bryce Galbraith Tuesday, December 15th, 8:15pm - 9:15pm SANS@Night
Wednesday, December 16
Session Speaker Time Type
Solutions Expo Wednesday, December 16th, 12:00pm - 1:30pm Vendor Event
Solutions Expo Wednesday, December 16th, 5:30pm - 7:30pm Vendor Event
Malware Analysis for Incident Responders: Getting Started Lenny Zeltser Wednesday, December 16th, 7:15pm - 9:15pm SANS@Night
The Tap House Phil Hagen Wednesday, December 16th, 7:15pm - 8:15pm SANS@Night
ICS/SCADA Cyber Attacks - Fact vs. Fiction Robert M. Lee Wednesday, December 16th, 7:15pm - 8:15pm SANS@Night
The Plinko Board of Modern Persistence Techniques Alissa Torres Wednesday, December 16th, 8:15pm - 9:15pm SANS@Night
Debunking the Complex Password Myth Keith Palmgren Wednesday, December 16th, 8:15pm - 9:15pm SANS@Night
GIAC Program Overview Courtney Imbert Wednesday, December 16th, 8:15pm - 9:15pm Special Events
Thursday, December 17
Session Speaker Time Type
STI Lunch and Learn Thursday, December 17th, 12:30pm - 1:15pm Lunch and Learn
Prevent - Detect - Respond Derrick Masters, Security Analyst, Infogressive Thursday, December 17th, 12:30pm - 1:15pm Lunch and Learn
See Threats Coming with DomainTools Mark Kendrick, Director of Solution Engineering Thursday, December 17th, 12:30pm - 1:15pm Lunch and Learn
Crack the Code: Defeat the Advanced Adversary Robert Clark, Systems Engineer, Palo Alto Networks Thursday, December 17th, 12:30pm - 1:15pm Lunch and Learn
Foundational Cyber Security Hygiene: Getting Back to Basics Hariom Singh, CISSP, Director of Policy Compliance Thursday, December 17th, 12:30pm - 1:15pm Lunch and Learn
CISA: How do we get past walking and actually start running with Information Sharing? Trish Cagliostro, Principal Security Architect Thursday, December 17th, 12:30pm - 1:15pm Lunch and Learn
NetWars Tournament of Champions Ed Skoudis, Tim Medin, and Jeff McJunkin Thursday, December 17th, 6:30pm - 9:30pm Special Events
Evolving Threats Paul Henry Thursday, December 17th, 7:15pm - 8:15pm SANS@Night
Card Fraud 101 G. Mark Hardy Thursday, December 17th, 7:15pm - 8:15pm SANS@Night
Building a Web Application Vulnerability Management Program Jason Pubal - Master's Degree Candidate Thursday, December 17th, 7:15pm - 8:15pm Master's Degree Presentation
The 14 Absolute Truths of Security Keith Palmgren Thursday, December 17th, 8:15pm - 9:15pm SANS@Night
Information Security Risk Management - No Exceptions! Mark Williams Thursday, December 17th, 8:15pm - 9:15pm SANS@Night
Friday, December 18
Session Speaker Time Type
Automating the Hunt for Attackers Dan Mitchell, Senior Security Engineer Friday, December 18th, 12:30pm - 1:15pm Lunch and Learn
NetWars Tournament of Champions Ed Skoudis, Tim Medin, and Jeff McJunkin Friday, December 18th, 6:30pm - 9:30pm Special Events
This event is over,
but there are more training opportunities.
 
Downloads
Share
Latest Whitepapers

Detect and Track Security Attacks with NetWitness by RSA
By Dave Shackleford

The State of Cloud Security: Results of the SANS 2020 Cloud Security Survey
By Thomas (TJ) Banasik

Network Segmentation of Users on Multi-User Servers and Networks
By Ryan Cox

Last 25 Papers »

Latest Tweets @SANSInstitute

This year, we invited @MindsEyeCCF to create graphic recordi [...]
January 26, 2021 - 6:06 PM

Interested in new courses and major course updates? Check ou [...]
January 26, 2021 - 4:30 PM

Join @_bromiley as he chairs the survey results webcast asso [...]
January 26, 2021 - 3:30 PM

Contact Us

Mon-Fri: 9am-8pm ET (phone/email)
Sat-Sun: 9am-5pm ET (email only)
301-654-SANS(7267)
info@sans.org

"It has really been an eye opener concerning the depth of security training and awareness that SANS has to offer."
- Michael Hall, Drivesavers

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health and Security

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee