This workshop is an intense 2-day journey into
the innards of web application security and the class is based on
case studies of real-life web applications riddled with security
problems. Participants are given hands-on experience in performing
thorough application security reviews as well as secure coding and
application deployment techniques.
The course is based on a highly proven
application testing methodology, encompassing black box and white
box testing techniques, application security principles and
practices, and real world examples.
Introduction and Objective
During the course, the participants are
introduced to a web application which they have to secure by the end
of the training class and the application lock-down exercise takes
the participants through various concepts such as:
- Understanding application security issues
- Application testing methodologies
- Secure application deployment
- Secure coding techniques
- Security by design
Who Should Attend
This workshop is for developers, web site
administrators, application security analysts and project managers /
IT managers. Key requirements from the participants' side should be:
- Proficiency in the base operating system
- either UNIX or Windows
- Understanding of web server configuration
- Understanding of HTTP
- Understanding of web programming
languages such as PHP or ASP or J2EE or ASP.NET
- Understanding of TCP/IP
- Ability to write scripts with either Perl
or Unix SH
Proficiency - which requires a high
degree of skill and many concepts will be taken for granted.
Understanding - these are core concepts
which are assumed that the participant should know. This does not
imply that a person has total control and mastery over these
concepts, but it is a stage beyond simple familiarity.
Ability - basic working ability with a
particular skill, not a high degree of skill required, but entry
level knowledge.
The advanced edition of the “Web Applications:
Attacks and Defense” class features a more complex web application,
written using ASP, PHP, ASP.NET or Java/JSP. In addition to the
regular class, the advanced edition class includes security issues
such as:
- Authentication
- Preventing session hijacking
- Privilege escalation
- Advanced SQL security with stored
procedures
- Buffer overflow attacks against web
applications amongst others.
Participants may choose their platform of
expertise (Windows IIS+SQL Server+ASP, Windows .NET, Linux Apache +
MySQL + PHP or Linux J2EE+Oracle) when taking the class. This class
involves rigorous hands-on exercises.
Workshop Facilitators:
Saumil Shah -Founder & CEO, Net-Square Solutions Pvt
Ltd, co-author of “Web Hacking: Attacks & Defense”, author of
“the Anti-Virus Book”, technical editor of “Hacking Exposed 2nd
Ed”, contributed to “Know Your Enemy-The Honeynet Project”, etc.
His focus is on researching vulnerabilities with various
e-commerce and web based application systems, system
architecture and developing short term training programmes.
Saumil also provides information security consulting services,
specializing in ethical hacking and security architecture.
Saumil has had immense experience with system administration,
network architecture, integrating heterogeneous platforms, and
information security and has performed numerous ethical hacking
exercises for many significant companies in the IT area. Saumil
is a regular speaker and trainer at security conferences such as
BlackHat, RSA, etc. Previously, Saumil was the Director of
Indian operations for Foundstone Inc, where he was instrumental
in developing their web application security assessment
methodology, the web assessment component of FoundScan -
Foundstone's Managed Security Services software and was
instrumental in pioneering Foundstone's Ultimate Web Hacking
training class. Prior to joining Foundstone, Saumil was a senior
consultant with Ernst & Young, where he was responsible for the
company's ethical hacking and security architecture solutions.
Hemil Shah – Principal Analyst; Net-Square Solutions
Pvt Ltd. Works on e-commerce security research and security
consulting at Net-Square. Hemil continues to work on e-commerce
security research and security consulting at Net-Square. He has
valuable experience with web security and has performed numerous
ethical hacking exercises for many significant IT companies. He
has strong research background in Web Technologies, networking
and information security. His experience in various other areas
of Information Technologies also includes system administration,
network management and training. His contributions in
information security consulting services to Net-Square clients
include managing a company-wide security audit and architecture
reviews. He has strong capability in assisting operational and
engineering staff for solving their security problems.
Umesh Nagori - VP Business Development for the IT
Security Practices at Net-Square Solutions Pvt. Ltd. Umesh also
provides information security consulting services and trainings
to Net-Square clients, specializing in Web hacking and
security. Right from the software development, he has played
key roles in various other areas of Information Technologies
like system administration and network management, system
analysis, training, project management. He has over numerous
years of experience with web application development,
application and system security architecture, network
architecture, security consulting, security training. Prior to
joining Net-Square, Umesh worked as Sr. System Analyst (IT
Application Security) at Hughes Network Systems, USA (HNS) where
in his capacity as Sr. System Analyst, he played key role in
overseeing the web development and the application security for
the internet facing applications at HNS.
You can click on this link
www.net-square.com for further information.
Key Learning Objectives:
- Problems that occur when developing a web
application.
- Security issues when deploying a web
application.
- Web application security testing.
- Securely configuring web servers.
- Secure coding techniques.
- Spotting basic errors in web application
code.
- Basic error handling techniques.
PLEASE NOTE: This 2-day workshop requires
participants to bring their own laptops for the duration of the
workshop.
For further information and registration,
please contact the PDC at +603-5636 0600 extn: 3402 or email
pdcinfo@monash.edu.my
