Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Monday, January 26 • 8:30am - 5:30pm
Training: OWASP Top 10 – Exploitation and Effective Safeguards

Sign up or log in to save this to your schedule and see who's attending!

David Caissy

Register for Training

Most web application developers have heard about SQL Injection and Cross-Site Scripting, but few know which safeguards are really effective against expert hackers. Exploitation techniques have greatly evolved in the last few years and programmers need to keep their guard up. They are in the tough position of securing systems against experienced hackers. What help do they have?

The OWASP Top 10 web application vulnerabilities list has done a great job promoting awareness on the subject. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against these vulnerabilities. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

At the end of the course, participants will have learned:
• What are the OWASP Top 10 vulnerabilities
• How hackers exploit them
• Which safeguards are effective… and which ones are not!

The course will cover the following topics:

  1. SSL Certificates
  2. Effective Password Management
  3. Secure Application Architecture
  4. Injection Attacks
  5. Command Injection
  6. File Injection
  7. SQL Injection
  8. Cross-Site Scripting (XSS)
  9. Cross-Site Request Forgery (CSRF)
  10. Broken Authentication and Session Management
  11. Insecure Direct Object References
  12. Security Misconfiguration
  13. Sensitive Data Exposure
  14. Missing Function Level Access Control
  15. Using Known Vulnerable Components
  16. Unvalidated Redirects and Forwards
  17. Securing Web Services (REST and SOAP)
  18. Secure Coding Best Practices
  19. List of Effective Safeguards

Hands-on Exercises:

  1. Session Initialization and Client-Side Validation
    1. Part 1: Web Proxy and Session Initialization
    2. Part 2: Client-Side Validation
  2. Online Password Guessing Attack
  3. Account Harvesting
  4. Using a Web Application Vulnerability Scanner
  5. Optional Exercises:
    1. Sniffing Encrypted Traffic
    2. Command Injection
    3. Create SSL certificates
Prerequisites

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of HTML, XML and SQL, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

Requirements

Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.


Speakers
DC

David Caissy

David Caissy, OSCP, GWAPT, GPEN, GSEC, CISSP, CEH has 15 years of experience as a security consultant and a web application architect. He has performed security audits, vulnerability assessments, web application penetration tests and has designed several secure systems. He has worked for banks, the Department of National Defense, various government agencies and private companies. He has been teaching information security in colleges and in many... Read More →


Monday January 26, 2015 8:30am - 5:30pm
Annenberg Community Beach House: Track 1 415 Pacific Coast Hwy, Santa Monica, CA 90402

Attendees (3)