Anti-Hacking for Secure HTTP and Coding


Been hacked? Was it because your http code was not secure? In this 2 day class you will hack and defend corporate web services from being compromised. There are 10 clever technical labs and 3 escalating workshops that take you from being a geek to being a secure geek. Good coders are not born, they are taught! Learn the correct way to analyze good code from bad, identify how your policy may force you to write bad code, and how to incorporate good coding during software upgrades. You leave class with a secure coding checklist that you can use for all your development projects, a template to catgeorize vulnerabilities, a matrix to verify requirements, and a framework to test for vulnerabilities.

Get Smart on Web Application Security
Web applications are the latest goldmine for criminals bent on gathering valuable corporate and consumer data. SQL injections, cross-site scripting vulnerabilities, forceful browsing, input validation exploits and cookie manipulation are rampant and successful against a number of high-profile, well-secured, brand name websites. In fact, 48 percent of all new vulnerabilities exposed in the last half of 2004 were in web applications, up from 39 percent in the first half of that same year, according to Symantec - making web applications the number one vector for attackers.

Here's a small sampling of web application attacks and vulnerabilities reported over the past 18 months:

SQL injections , which were exploited to compromise the customer database at Tiffany.com and, in a separate case, to expose 500,000 Petco customer credit cards.

Cross-site scripting vulnerabilities , as when Google G-Mail accounts were rendered accessible without authentication.

Forceful browsing , used to expose the police files in the State of Minnesota and, separately, to expose Paymaxx's customer tax identification information.

Cookie manipulation or cookie poisoning , as evidenced by Gateway Computer when customer order information was exposed, including credit card CVV and expiration dates. FTD.com was affected similarly by the same attack method.

URL parameter tampering , to which Microsoft Asp.net and Morgan Stanley were all vulnerable in the recent past.

What You Will Learn:

1. State of the application security industry (What, Why)
   
   • Hackers
   • Time to market
2. Integrating Security into your Application Lifecycle
3. Web Technology overview
   
   • elements
   • Address the security provide by typical perimeter security (DMZ, FW, IDS, reverse proxies, etc)
   • The client base (browers, and such)
   • Application firewalls (Checkpoint-AI and Teros, Kavado)
4. Application Security Foundations
   
   • Authentication
   • Authentication schemes
   • Kerberos
   • Authorization
   • Least privilege, user accountability, separation of duties
   • ACLs and capability lists
   • Group policies
   • Auditing
   • Administration
   • Secure Channel (SSL, TLS)
5. Types of attacks
   
   • Common pitfalls, in C, C++, JAVA, and VB
   • Buffer Overflows
   • Format Strings
6. Types of Solutions
   
   • Input validation
   • Canonicalization
   • Code review
   • Automated assessment tools
7. Web Servers
   
   • Apache
   • Microsoft IIS 5 and 6
   • Iplanet
8. Application Servers
   
   • WebSphere
   • J2EE
   • Microsoft .NET
   • WebLogic
9. Portals
   
   • SunOne
   • Plumtree
   • Vignette
10. Application Platforms - Middleware security
    
    • MQseries
    • Tibco
11. Database Management Systems
    
    • Oracle
    • DB2
12. Directory Systems
    
    • Iplanet
    • Microsoft AD
13. Web Services
    
    • XML
    • SOAP
    • UDDI
14. Peer-to-Peer Networking
    
    • Groove
15. Web Access Management
    
    • Siteminder
    • Tivoli Access Manager
    • RSA ClearTrust
    • Oblix
16. Assessment Methodologies
    
    • Nikto
    • owasp.org
    • WebInspect and/or Sanctum on broken systems.

Top     

View Class Schedule     

More Protection Courses