Foundations of Web Application Security

Presenter Dave Wichers

Training

from 09.00 - 17.00

Location

TECHNOPARK
Room Newton 1009
Technopark Zurich
Technoparkstrasse 1
8005 Zurich

Check the map

Abstract

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts. This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following common vulnerability areas (the OWASP Top 10):

• A1 - Cross Site Scripting (XSS)
• A2 - Injection Flaws
• A3 - Malicious File Execution
• A4 - Insecure Direct Object Reference
• A5 - Cross Site Request Forgery (CSRF)
• A6 - Information Leakage and Improper Error Handling
• A7 - Broken Authentication and Session Management
• A8 - Insecure Cryptographic Storage
• A9 - Insecure Communications
• A10 - Failure to Restrict URL Access

Hands on

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises

Audience

Developers who want to understand the most common web application security flaws, and how to avoid them.

Level

Intermediate

Prerequisite

Basic knowledge of Java.
Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

Duration

Full day

History

Variations of this course have been presented by Aspect Security instructors hundreds of time over the past six years, mostly onsite at customer facilities. It also has been presented at almost every OWASP conference (www.owasp.org/index.php/Category:OWASP_AppSec_Conference) as well as through SANS and numerous other conferences.

Speaker Bio

Dave Wichers is a cofounder and Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. Dave is also a member of the OWASP board, is the OWASP Conferences Chair, and is a coauthor of the OWASP Top Ten. The Open Web Application Security Project (OWASP) (www.owasp.org) is a worldwide free and open community focused on improving the security of application software. Mr. Wichers has over 20 years of experience in the information security field, and has focused exclusively on application security for the past 10. At Aspect, in addition to his COO duties, he is Aspect's application security courseware lead, one of their chief instructors, and provides a wide variety of application security consulting services to Aspect's clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Mr. Wichers has a Bachelors and Masters degree in Computer Science, is a CISSP, and a CISM.

Contact

Dave Wichers
Aspect Security / OWASP Foundation
9175 Guilford Road, Suite 300, Columbia, MD 21046
Phone: +01-301-604-4882
Email:
www.aspectsecurity.com
www.owasp.org