Overview

This workshop is an intense two-day journey into the innards of web application security. Brought to you by the authors of "Web Hacking: Attack and Defense", the class is based on case studies of real-life web application riddled with security problems. Participant are given a hands-on experience in performing thorough application security reviews, as well as security coding and application deployment techniques.

The workshop is based on highly proven application testing methodology, encompassing blackbox and whitebox testing techniques, application security principles and practices, and real world examples.

During the workshop, the participants are introduced to a web application, which they have to secure by the end of the class. The application lockdown exercise takes the participants through various concepts such as:

• Understanding application security issues
• Application testing methodologies
• Secure application deployment
• Secure coding techniques
• Security by design

The "Web Hacking: Attacks and Defense" workshop features web applications written using ASP or PHP, encompassing security issues such as:

• Exception handling
• SQL injection
• Remote command execution
• Data tampering
• Cross site scripting

The advanced edition of the "Web Hacking: Attacks and Defense" features a more complex web application, written using ASP, PHP, ASP.NET or Java/JSP. In addition to the regular class, the advanced edition workshop includes security issues such as:

• Authentication
• Preventing session hijacking
• Privilege escalation
• Advanced SQL security with stored procedures
• Buffer overflow attacks against web applications

This workshop involves rigorous hands-on exercise.

top ^

Key Learning Objectives

• Problems that occur when developing a web application
• Security issues when deploying a web application
• Web application security testing
• Securely configuring web servers
• Secure coding techniques
• Spotting basic errors in web application code
• Basic error handling techniques

top ^

General Learning Objectives

• Developing procedures to test and maintain the security of a web application
• Source code review procedures
• Proficiency with security testing tools and procedures

top ^

About the tutor

Shreeraj Shah is founder and director of Net-Square. He has five years of experience in the field of security with a strong academic background. He has experience in system security architecture, system administration, network architecture, web application development, security consulting and has performed network penetration testing and application evaluation exercises for many significant companies in the IT arena. Shreeraj graduated from Marist College with a Masters in Computer Science, and has a strong research background in computer networking, application development, and object-oriented programming. He received his Bachelor’s degree in Engineering, Instrumentation and Control from Gujarat University, and an MBA from Nirma Institute of Management, India.

Shreeraj is the co-author of "Web Hacking: Attacks and Defense" published by Addison Wesley. He has published several advisories, tools, and white papers as researcher, and has presented at conferences including HackInTheBox, RSA, Blackhat, Bellua, CII, NASSCOM etc. You can find his blog at http://shreeraj.blogspot.com/.