Join us for the FREE Cyber Defense Forum | Live Online on October 9


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Increased demand for web apps hampered by lack of critical penetration

Inevitable growth of web apps leading to innovative new use cases yet many organisations still struggle with security implementation and testing

  • United Kingdom
  • 12 August, 2014

"There are an increasing number of options around deploying IT applications from onsite through various forms of externally hosted public and private infrastructure but all of these options are absolutely dependent on the ability to answer a fundamental question - "How secure are your web applications?" explains Dave Shackleford, SANS Instructor and highly experienced security expert. "If you can't answer the last question then where your critical applications resides is the least of your worries," quips Shackleford who suggests that organisations concern over deployment models has confused a more pressing issue around secure application design and testing.

Shackleford is the founder of consultancy Voodoo Security and senior instructor, author, and analyst with SANS. He has consulted with hundreds of organisations in the areas of security, regulatory compliance, and network architecture and engineering. Shackleford has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security.

"If you look into the detail at major breaches, it is the holes in web apps that have resulted in the theft of millions of credit cards alongside major financial and reputational damage for hundreds of enterprises," says Shackleford, "Irrespective of where web apps reside, organisations must assume that vulnerabilities exist or will appear as platforms evolve and find and fix these flaws before the bad guys do."

Shackleford stresses that many of the basic issues such as building applications with buffer-overflow and SQL injection vulnerabilities are still prevalent and are still widely exploited by hackers.

Shackleford will be teaching the SANS SEC542: Web App Penetration Testing and Ethical Hacking course as part of SANS Tallinn 2014 in Estonia this September. The course is aimed at helping web site designers, architects, and developers understand and learn web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regime. Through detailed, hands-on exercises and training, attendees learn a four-step process for Web application penetration testing.

The course kicks off with "understanding the attacker's perspective" as the key to successful Web application penetration testing and thoroughly examines Web technology, including protocols, languages, clients, and server architectures, from the attacker's viewpoint. The course then progresses through a logical set of phases including 'Reconnaissance and Mapping", "Discovery" and "Exploitation". The final day offers a "capture the flag" challenge allowing students to explore the techniques, tools, and methodology learnt during the course against a realistic intranet application. "The goal is to learn the skills and processes used by an attacker to become better defenders," Shackleford adds.

The 'SANS SEC542: Web App Penetration Testing and Ethical Hacking' course taught by Shackleford will be running at SANS Tallinn 2014, taking place at Sokos Hotel Viru from Monday 1st September until Saturday 6th September 2014. For more information, please visit:

Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (