Sunday, 25 January 2009

Training Course: Real World WAST (Web Application Security Testing)

Next week I will be delivering a 2-day training course in Central London which is a preview of the courses I want to start delivering regularly in London/UK.

Ping me if you are interested in attending the next one(s).


Title: Real World WAST (Web Application Security Testing)

Course description: Two day hands-on training course focused on how to test web applications in a fast, efficient and
comprehensive way.

The course will show how a mixture of external assessment techniques (aka BlackBox) with source code analysis (aka White Box) creates the perfect environment to evaluate the security risk profile of the targeted application.

In addition to showing how to find vulnerabilities and write exploits for them, the course will also show how to:
  1. use threat modeling to identify the attack surface,
  2. use WAFs (Web Application Firewalls) to 'patch' & mitigate the vulnerabilities discovered, and
  3. package the findings into 'insecurity patterns' which can be easily 'consumed' by C-level execs, project managers, product architects and developers.
To try the techniques shown, each student will be given remote access to a Windows Virtual Image which will contain the test applications and all tools presented

Technologies covered: ASP.Net and J2EE

Pre-Requesits: Laptop to connect to remote virtual image

Instructor: Dinis Cruz

Dates: 27 & 28 January

Location: Thistle Westminster Hotel, 49 Buckingham Palace Road, London, SW1W 0QT (

  • Part I: Tools and Security Principles
    • Creating the assessment environment
    • Threat Modeling
    • Tools of the the trade (from open source to commercial tools)
    • Case study: "What are the threats of an Airline's web infrastructure?"
    • Case study: Spring Framework and its security implications
    • What can OWASP do for you (from books, to documents, to tools, to community)
  • Part 2 : Exploiting Web Apps
    • Exploiting the test applications: HacmeBank, WebGoat, Open Source App A , Open Source Web Part B
    • Finding vulnerabilities using automated tools
    • Finding vulnerabilities manually
    • Writing exploits

  • Part 3: Root Causes and Insecurity patterns
    • Find the root causes of the issues discovered and package your findings into 'insecurity patterns'
    • How to present your findings to C-level execs, project managers, product architects and developers.

  • Part 4: Fix and Patching vulnerabilities
    • How WAFs can save the day (when used for 'Virtual Patching')
    • Case study: Using HacmeBank's Validator.NET
    • Case study: Using Microsoft's IAG (Intelligent Application Gateway)