OWASP
AppSec USA
OWASP Logo
2011
Your life is in the cloud.

Minneapolis
Sched/Slides/Video
Venue/Hotel/Travel
Contact Us
FAQ
About Us
Archive
Women in AppSec
September
20-21
Training

September 21
U Challenge
Workgroups
5K/10K
September
22-23
Talks
CTF
Sponsors
OSS Showcase

TRAINING

September 20-21, 2011: Intense hands-on training for information security and software development professionals

Pricing

Two day courses were $1,500 USD and one day courses were $750 USD. More information on pricing and group registration discounts here.

Questions? E-mail [email protected].

Courses

Jump to: Two Day Courses | One Day Courses

 

Two Day Courses (each course spanned two full days)

One Day Courses (each course spanned one full day)

 

Two Day Courses (each course spanned two full days, September 20-21)

Hands on Web Application Testing: Assessing Web Apps the OWASP Way

Matt TesauroTrainer: Matt Tesauro

Level: Technical / Basic & Intermediate

Date: September 20-21, 2011

Class Summary: The goal of the training session is to teach students how to identify, test, and exploit web application vulnerabilities. The creator and project lead of the OWASP Live CD, now recoined OWASP WTE, will be the instructor for this course and WTE will be a major component of the class. Through lecture, demonstrations, and hands on labs, the session will cover the critical areas of web application security testing using the OWASP Testing Guide v3 as the framework and a custom version of OWASP WTE as the platform. Students will be introduced to a number of open source web security testing tools and provided with hands on labs to sharpen their skills and reinforce what they’ve learned. Students will also receive a complementary DVD containing the custom WTE training lab, a copy of the OWASP Testing Guide, handouts and cheat-sheets to use while testing plus several additional OWASP references. Demonstrations and labs will cover both common and esoteric web vulnerabilities and includes topics such as Cross-Site Scripting (XSS), SQL injection, CSRF and Ajax vulnerabilities. Students are encouraged to continue to use and share the custom WTE lab after the class to further hone their testing skills.

Computer Minimum Requirements: Windows XP or Newer / OS X 10.5 or Newer / Recent Linux Distro Supported, RAM for Base OS + 640 MB free RAM (ideally, at least 3 GB RAM), 3.5 GB Free Disk Space plus Space for VirtualBox, Network Connection Not Required, Administrator Access on Computer for Software Installation

About Matt Tesauro: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he's focused on application security risk assessments at Praetorian. Outside work, he is the project lead for the OWASP Live CD / WTE, a member of the OWASP Foundation board, and part of the Austin OWASP chapter leadership. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. Matt has taught both the undergraduate and graduate level courses at Texas A&M University in the Management and Information Systems department (MIS). Beside the teaching at Texas A&M University, Matt currently teaches internal trainings to TEA employees. The courses Matt has authored and taught include:

  • Web Application Security
  • Wireless Security
  • Web Browser Security
  • Anatomy of a Virus
  • Application Security Overview
  • State of Security (yearly overview)

Matt is certified as an instructor of Security Incident Handling by the Software Engineering Institute at Carnegie Mellon University in connection with his position on the Texas Computer Security Incident Response Team.

Jump to: Two Day Courses | One Day Courses

SOLD OUT
.NET Secure Coding Practices

Erez MetulaTrainer: Erez Metula

Level: Technical / Intermediate

Date: September 20-21, 2011

Full Course Description PDF

Class Summary: Secure programming is the best defense against hackers.

This multilayered Hands on course will demonstrate live real time hacking methods, analyze the code deficiency that enabled the attack and most importantly teach how to prevent such vulnerabilities by adopting secure coding best practices in order to bullet-proof your .NET application.

The methodology of the Cycle of knowledge is as follows: Understand, Identify, Prevent

This methodology presents the student with analytical tools to keep a deeper understanding of coding vulnerabilities and implement security countermeasures in different areas of the software development lifecycle.

The hands on labs will enable the student to get a firsthand experience of the Hacker's world and what could be done to stop him.

Using sound programming techniques and best practices shown in this course, you will be able to produce high-quality code that stands up to attack. The course covers major security principles in the .NET framework, programming vulnerabilities, and specific security issues in ASP.NET web applications and Winform applications.

The course topics include:

  • Application level attacks – live demonstrations of the OWASP Top 10
  • Validating users' data securely
  • Securing DB connections
  • Cryptography - Sensitive Data protection & Data integrity
  • Authentication & Authorization
  • Secure .NET Configuration
  • Session Management
  • Exception Management
  • Auditing and Logging
  • .NET Framework best practices

Computer Minimum Requirements: Laptop Equipped with VMWare Player / Workstation, 2GB of RAM, and about 15GB of Disk Space for Software Installation. Each student will receive a personal DVD equipped with a LAB VM, code samples, slides, etc.

About Erez Metula: Erez Metula is a world renowned application security expert, spending most of his time finding software vulnerabilities and teaching developers how they should avoid them. Erez has extensive hands-on experience performing security assessments, code reviews, and secure development trainings for worldwide organizations, and has previously talked at international security conferences such as Black Hat, DEF CON, OWASP, RSA, SOURCE, CanSecWest, and more. His latest research on Managed Code Rootkits, presented at major conferences throughout the world, was published recentely as a book by Syngress publishing. He is the founder of the company AppSec, where he works as an independent consultant focusing on advanced application security topics.

Jump to: Two Day Courses | One Day Courses

Building Secure Ajax and Web 2.0 Applications

Dave WichersTrainer: Dave Wichers

Level: Technical / Intermediate

Date: September 20-21, 2011

Class Summary: This two-day class will cover common Web 2.0 and Ajax security threats and vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.

Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of "what to do" and "what not to do." The class is led by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

Computer Minimum Requirements: Microsoft Windows XP or newer (minimal RAM/disk space needed, no network connection required).

About Dave Wichers: Dave Wichers is the Chief Operating Officer (COO) of Aspect Security (www.aspectsecurity.com), a company that specializes in application security services. Mr. Wichers brings over seventeen years of experience in the information security field. Prior to Aspect, he ran the Application Security Services Group at a large data center company, Exodus Communications.

His current work involves helping customers, from small e-commerce sites to Fortune 500 corporations and the U.S. Government, secure their applications by providing application security design, architecture, and SDLC support services: including code review, application penetration testing, security policy development, security consulting services, and developer training.

Dave holds a BSE in Computer Systems Engineering from Arizona State University and a Masters degree in Computer Science from the University of California at Davis. Dave is a CISSP and a CISM, is currently the OWASP Conferences Chair (www.owasp.org), and is a coauthor of the OWASP Top Ten.

Jump to: Two Day Courses | One Day Courses

Analyzing and Securing Enterprise Application Code

Shreeraj ShahTrainers: Shreeraj Shah and Amish Shah

Level: Technical / Intermediate

Date: September 20-21, 2011

Full Course Description PDF

Class Summary: Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that in 64% of cases, a vulnerability crops up due to programming errors and in 36% of cases, due to configuration issues. The course will cover analysis techniques, with tools, for assessment and review of enterprise application source code. Enterprise 2.0 and mashups, along with other different Web 2.0 concepts, reinforced by hands-on experience, will help in understanding next generation application requirements.

Computer Minimum Requirements: Windows XP / Vista / Server Family, 1 GB RAM, Ample Free Disk Space for Software Installation, Ethernet

About Shreeraj Shah and Amish Shah: Shreeraj Shah, B.E., MSCS, MBA, is a founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in the security space. He is also the author of popular books like Hacking Web Services (Thomson 2006) and Web Hacking: Attacks and Defense (Addison-Wesley 2003). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Black Hat, OSCON, Bellua, Syscan, ISACA, and more. His articles have been regularly published on SecurityFocus, InformIT, DevX, O’Reilly, and HNS. His work has been quoted on BBC, Dark Reading, and Bank Technology as expert analysis.

 

Jump to: Two Day Courses | One Day Courses

 

One Day Courses (each course spanned one full day)

WebAppSec: Developing Secure Web Applications

Trainer: Robert H'obbes' Zakon

Level: Technical / Basic - Intermediate

Date: September 21, 2011

Class Summary: Web applications are the new frontier of widespread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP’s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP-based, much of the content is also applicable to other languages.

This will be an updated, encore presentation of last year’s well received OWASP AppSec DC course. Following are quotes from prior WebAppSec attendees:

"Great coverage for a complicated and broad ranged subject matter. Just the right mix of generalization and technical coverage for developers and management"
"The information was very useful and current. I've learned things that I can immediately implement in my code."
"Presented in a very structured format. Instructor knew his stuff. Good presentations."
"The slides were excellent - full of good code examples and explanations"
"Very knowledgeable! Covered a lot of topics in a limited amount of time"
The presenter was excellent. He didn't present an overload of information. The day went very quickly and I am leaving with a lot of valuable information"
"Material that was presented was presented and covered well. Instructor is very knowledgeable"
"Handouts & presentation well organized & coordinated"

All course registrants will receive printed materials and a certificate of completion which may be used for documenting CPE credits.

Computer Minimum Requirements: Computer Not Required

About Robert H'obbes' Zakon: Robert H'obbes' Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non-profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy and Psychology. His interests are diverse and can be explored at www.Zakon.org where his vitae is available.

Jump to: Two Day Courses | One Day Courses

SOLD OUT
The Art of Exploiting SQL Injection

Sumit SiddharthTrainer: Sumit Siddharth

Level: Technical / Intermediate

Date: September 21, 2011

Class Summary: SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. OWASP rates this vulnerability as the top most risk within the web applications. This vulnerability could typically result in 3 scenarios:

  1. Authentication Bypass
  2. Extraction of arbitrary sensitive data from the database
  3. Access and compromise of the internal network

To identify the true impact of this vulnerability it is essential that the vulnerability gets exploited to the full extent. While there is a reasonably good awareness when it comes to identify this problem, there are still a lot of grey areas when it comes to exploitation or even identifying complex vulnerabilities like a 2nd order injections. This training will target 3 databases

  • MS-SQL
  • MySQL
  • Oracle

and discuss a variety of exploitation techniques to exploit each scenario.The aim of the training is to provide attendees with a thorough understanding of the vulnerability, Knowledge of advanced exploitation techniques used by attackers in the wild, understanding of how to review the source code against this vulnerability and finally how to patch the code to ensure its safe.

Computer Minimum Requirements: Microsoft Windows (Native or VM), 1 GB RAM for OS, 1 GB Free Disk Space, Ethernet, Administrator Access on Computer for Software Installation

About Sumit Siddharth: Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of experience in pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker/trainer at many security conferences including Blac Hat, DEF CON, Troopers, OWASP AppSec, Sec-T, and so forth. He also runs the popular IT security blog www.notsosecure.com.

Jump to: Two Day Courses | One Day Courses

Application Attack Detection & Response - A Hands-on Planning Workshop

Colin WatsonTrainer: Colin Watson

Level: Management, Technical and Operations / Intermediate & Advanced

Date: September 20, 2011

Class Summary: A practical participatory exercise and lecture-based day-long workshop where participants will learn how to define, select, and specify application-layer intrusion detection and protection (IDP). The training course uses a problem-centered approach where participants are encouraged to use their own knowledge and experience to apply the techniques learned in example lab projects. Most of the day will be spent working in small teams creating strategies and implementation plans, which could subsequently be used in development. The course is not computer-based, does not involve any coding and is language/framework agnostic. It is based on the concepts in the OWASP AppSensor Project. Full printed handouts are provided together with materials for all the exercises, so participants can take these away and apply the ideas within their own organizations.

Computer Minimum Requirements: Computer Not Required

About Colin Watson: Colin Watson is an experienced application security consultant, working mainly in the area of building security and privacy into the software development life cycle.

Jump to: Two Day Courses | One Day Courses

Designing, Building, and Testing Secure Applications on Mobile Devices

Dan CornellTrainer: Dan Cornell

Level: Technical / Intermediate

Date: September 20, 2011

Class Summary: This course provides an introduction to security for mobile and smartphone applications. It walks through a basic threat model for a smartphone application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques. Particular emphasis will be on the unique security challenges that developing software for mobile devices represent, comparing mobile software security concepts to those in the web application world.

Computer Minimum Requirements: Computer not required, although your learning may be enhanced with the following: Perl/grep/vi, Eclipse with the Android development kit, and OS X with XCode.

About Dan Cornell: Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee, and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.

Jump to: Two Day Courses | One Day Courses

SOLD OUT
Talks Icon

Talks

Sponsors Icon

Sponsors

Training Icon

Training

Capture the Flag Icon

CTF



Promotional Consideration Provided By

Corporate Donors
Cargill

Platinum
Trustwave   Security Innovation

Gold
IBM   NetSPI   Veracode

Qualys   Fortify, an HP Company

Silver
Cigital   Accuvant   Core Security

Radware   Imperva   WhiteHat Security

Barracuda Networks   Rapid7   Aspect Security

Fishnet Security   Intrepidus Group   NT OBJECTives

Additional Sponsors
F5

Media Partners
TECHdotMN   The 451 Group

(ISC)2   InfoSecurity