F12 – Pre-Con 4: Hands-on: Remote Testing for Common Web Application Security Threats

Track: Pre-Conference Workshop

The proliferation of web-based applications has increased the enterprise’s exposure to a variety of threats. There are overarching steps that can and should be taken at various steps in the application’s lifecycle to prevent or mitigate these threats, such as implementing secure design and coding practices, performing source code audits, and maintaining proper audit trails to detect unauthorized use.

This workshop, through hands-on labs and demonstrations, will introduce the student to the tools and techniques needed to remotely detect and validate the presence of common insecurity for web-based applications. Testing will be conducted from the perspective of the end user (as opposed to a source code audit). Security testing helps to fulfill industry best practices and validate implementation. Security testing is especially useful since it can be done at various phases within the application’s lifecycle (e.g. during development), or when source code is not available for review.

This workshop will focus on the most popular and critical threats facing web applications, such as cross-site scripting (XSS) and SQL injection, based on the industry standard OWASP “Top Ten”. The foundation learned in this class will enable the student to go beyond the top ten via self-directed learning using other industry resources, such as the OWASP Testing Guide.

Please note the following course requirements for this workshop:

Who should attend: People who need to audit web application security, develop web applications, or manage the development of web applications. Some essentials of HTTP will be briefly covered in the course, but it is best if you already have prior experience with HTML and HTTP.

Hands-on Exercises: This one-day workshop will include live demos by the instructor, as well as lab exercises to be performed by the students.

Each student will be given a virtual machine (via CD or USB) containing an open-source OS (Ubuntu), tools, documentation, and web application targets for a fully self-contained web security testing environment. Training will feature the open-source project “Web Application Security Dojo” (http://dojo.mavensecurity.com).

Students are expected to bring a laptop computer so that they can run the virtual machine image supplied by the instructor.

Student system requirements are simple:

  • Any operating system that can run the latest stable version of VirtualBox (free from http://www.virtualbox.org/). Currently supported operating systems included Windows, Mac, and Linux.
  • 5 GB of free HD storage
  • 1 GB of RAM (2 GB or more is better)
  • USB port or DVD drive
  • Wifi networking capability

*** Before the first day of class students must install the latest stable version of VirtualBox. Also install the latest version of “Oracle VM VirtualBox Extension Pack”. Both are free and found here: http://www.virtualbox.org/wiki/Downloads

Download Presentation
Please Note: The presentations are intended for attendees only. The presentations page is password protected – contact info@softwaretestpro.com for verification of attendance and the password to access the presentation.

Session Speaker:

David RhoadesDavid Rhoades – Senior Consultant, Maven Security Consulting, Inc.
David Rhoades is a senior consultant with Maven Security Consulting Inc. which provides information security assessments and training services to a global clientele. David’s expertise includes web application security, network security architectures, and vulnerability assessments. Past customers have included domestic and international companies in various industries, as well as various US government agencies. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore). David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University.