5
TECHNOLOGY TRANSFER PRESENTS [email protected] www.technologytransfer.it AND HOW TO MAJOR WEB ATTACKS DEFEAT THEM KEN VAN WYK JUNE 7-9, 2010 VISCONTI PALACE HOTEL - VIA FEDERICO CESI,37 ROME (ITALY)

Major Web Attacks and How to Defeat Them

Embed Size (px)

DESCRIPTION

This course teaches the students how to develop secure web applications in today’s complex internetworked environment.

Citation preview

Page 1: Major Web Attacks and How to Defeat Them

TECHNOLOGY TRANSFER PRESENTS

[email protected]

AND HOW TOMAJOR WEB ATTACKS

DEFEAT THEM

KENVAN WYK

JUNE 7-9, 2010VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37

ROME (ITALY)

Page 2: Major Web Attacks and How to Defeat Them

MAJOR WEB ATTACKS AND HOW TO DEFEAT THEM

ABOUT THIS SEMINAR

This class starts with a description of the security problems faced by today’s software developer, as well as adetailed description of the Open Web Application Security Project’s (OWASP) “Top 10” security defects. Thesedefects are studied in instructor-lead sessions as well as in hands-on lab exercises in which each studentlearns how to actually exploit the defects to “break into” a real Web application. (The labs are performed in safetest environments.)Remediation techniques and strategies are then studied for each defect. Practical guidelines on how to inte-grate secure development practices into the software development process are then presented and discussed.

WHO SHOULD ATTEND

The ideal student for this tutorial is a hands-on Web application Developer or Architect who is looking for a fun-damental understanding of today’s Best Practices in secure software development:

• Software Testers• Software Developers• Development and Test Managers• Security Auditors and anyone involved in software production for resale or internal use will find it valuable• Information Security and IT Managers• Information Assurance Programmers• Information Security Analysts and Consultants• Internal Auditors and Audit Consultants• QA Specialists

REQUIREMENTS

Each student will need to provide a laptop computer for the hands-on lab exercises. Recommended configura-tions include the following:

• Windows XP, IE 6.X or Firefox 3.X browser• Local administrative privileges for installing and configuring software• Approximately 5 gigabytes of available disk space• 2 gigabyte of RAM is recommended

Page 3: Major Web Attacks and How to Defeat Them

OUTLINE

1. Preparation Phase:Understanding the problem

• What are the issues that result insoftware that is susceptible to at-tack?•Why do software developers con-tinue to develop weak software?

2.Overview of available solu-tions

• Top-level discussion of BestPractices for developing securesoftware• Security activities that can be in-tegrated throughout a typicalsoftware development lifecycle

3. Lab setup and demo

• Students install and configuresoftware tools to be used in theupcoming exercises• The instructor demonstrates thetools and runs through a sampleexercise to ensure all studentscan use the tools correctly• Review of Web application basics-HTTPmethods (e.g.,GET,POST)- Identification and authentication- Session Management

4. ExploitingWeb applicationweaknesses

• Introduction to OWASP top 10(and other) security weaknessesin Web applications• How do attackers exploit theseweaknesses?• Class exercises of themost com-monWeb application weaknesses

5. Secure development processes

• A detailed look at three commonsecure development methodolo-gies, and their strengths andweaknesses- Microsoft’s SDL- Cigital’s Touchpoints- OWASP’s CLASP• Group discussion of the feasibi-lity of the processes

6. Processes in depth:Static code analysis

• Description of static code reviewprocesses• Automated vs.peer review compa-rison of benefits andweaknesses• Background of available automa-ted static code review tool tech-nology• Integrating a static code reviewtool into a software developmentprocess effectively

7. Processes in depth:security testing

• Black box vs.white box securitytesting of software• Overview of common testingmethodologies and tools• Penetration testing• Fuzz testing• Dynamic validation

8. Coding Hands-on

• Hands-on lab exercises to fix abroken web app (Java EE)- SQL injection(OWASP Issue 1)- Cross-site scripting(OWASP Issue 2)- Access control

9.Getting started

• Key elements to succeeding witha software security initiative• Developing an action plan• First steps

Page 4: Major Web Attacks and How to Defeat Them

KEN VAN WYKMAJOR WEB ATTACKSAND HOW TODEFEAT THEM

June 7-9, 2010Visconti Palace HotelVia Federico Cesi, 37Rome (Italy)

Registration fee:€ 1500

If registered participants are unable to attend,or in case of cancellation of the seminar, thegeneral conditions mentioned before areapplicable.

first name ...............................................................

surname .................................................................

job title ...................................................................

organisation ...........................................................

address ..................................................................

postcode ................................................................

city .........................................................................

country ...................................................................

telephone ...............................................................

fax ..........................................................................

e-mail .....................................................................

Send your registration formwith the receipt of the payment to:Technology Transfer S.r.l.Piazza Cavour, 3 - 00193 Rome (Italy)Tel. +39-06-6832227 - Fax +39-06-6871102info@technologytransfer.itwww.technologytransfer.it

Stamp and signature

INFORMATION

PARTICIPATION FEE

€ 1500

The fee includes all seminardocumentation, luncheon and coffeebreaks.

VENUE

Visconti Palace HotelVia Federico Cesi, 37Rome (Italy)

SEMINAR TIMETABLE

9.30 am - 1.00 pm2.00 pm - 5.00 pm

HOW TO REGISTER

You must send the registration form withthe receipt of the payment to:TECHNOLOGY TRANSFER S.r.l.Piazza Cavour, 3 - 00193 Rome (Italy)Fax +39-06-6871102

withinMay 24, 2010

PAYMENT

Wire transfer to:Technology Transfer S.r.l.Banca Intesa Sanpaolo S.p.A.Agenzia 6787 di RomaIban Code:IT 34 Y 03069 05039 048890270110

GENERAL CONDITIONS

GROUP DISCOUNT

If a company registers 5 participants tothe same seminar, it will pay only for 4.Those who benefit of this discount are notentitled to other discounts for the sameseminar.

EARLY REGISTRATION

The participants who will register 30 daysbefore the seminar are entitled to a 5%discount.

CANCELLATION POLICY

A full refund is given for any cancellationreceived more than 15 days before theseminar starts. Cancellations less than15 days prior the event are liable for 50%of the fee. Cancellations less than oneweek prior to the event date will be liablefor the full fee.

CANCELLATION LIABILITY

In the case of cancellation of an event forany reason, Technology Transfer’sliability is limited to the return of theregistration fee only.

Page 5: Major Web Attacks and How to Defeat Them

Ken Van Wyk is an internationally recognized information security expert and author of the O’Reilly and As-sociates books, “Incident Response and Secure Coding”. In addition to providing consulting and trainingservices through his company, KRvW Associates, LLC, he currently holds numerous positions: as a monthlycolumnist for on-line security Portal, eSecurityPlanet and a Visiting Scientist at Carnegie Mellon University’sSoftware Engineering Institute. Mr. Van Wyk has 20+ years experience as an IT Security practitioner in theacademic, military, and commercial sectors. Mr. Van Wyk also served a two-year elected position as a mem-ber of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST) organization.At the Software Engineering Institute of Carnegie Mellon University, Mr. Van Wyk was one of the founders ofthe Computer Emergency Response Team (CERT®).

SPEAKER


A Taxonomic Approach for Classifying and Identifying ... · handle attacks by organizing them into taxonomic categories. Because attacks can often be similar in modality but require

A Taxonomic Approach for Classifying and Identifying ... · handle attacks by organizing them into taxonomic categories. Because attacks can often be similar in modality but require

Documents
Working together to defeat attacks against AV automation

Working together to defeat attacks against AV automation

Documents
Side-channel attacks on PKC and countermeasures …math-sa-sara0050/space16/slides/space... · Challenge: recent horizontal attacks belong to SPA techniques Can defeat some countermeasures

Side-channel attacks on PKC and countermeasures …math-sa-sara0050/space16/slides/space... · Challenge: recent horizontal attacks belong to SPA techniques Can defeat some countermeasures

Documents
Foothold Attacks - USALearning · Foothold Attacks . Table of Contents ... of the three things you're really concerned . about. ... Redirect them all to your machines. Chris Evans:

Foothold Attacks - USALearning · Foothold Attacks . Table of Contents ... of the three things you're really concerned . about. ... Redirect them all to your machines. Chris Evans:

Documents
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them

Understanding Fileless (or Non-Malware) Attacks and How to Stop Them

Technology
Five revenue killers and how to defeat them...Revenue killer 1 Five revenue killers and how to defeat them The quarterly business review is looming, and you haven t hit your quota

Five revenue killers and how to defeat them...Revenue killer 1 Five revenue killers and how to defeat them The quarterly business review is looming, and you haven t hit your quota

Documents
Attack Patterns: Knowing Your Enemy in Order to Defeat Them

Attack Patterns: Knowing Your Enemy in Order to Defeat Them

Documents
Defeat Mechanism

Defeat Mechanism

Documents
7 Salesforce Admin Villains and How to Defeat Them

7 Salesforce Admin Villains and How to Defeat Them

Business
Defeat Goliath

Defeat Goliath

Documents
eBook the Imminent Threat of Application Attacks and How to Defend Against Them

eBook the Imminent Threat of Application Attacks and How to Defend Against Them

Documents
Traditional approaches vs. contemporary attacks How have bad-guy methods changed? What motivates them now?

Traditional approaches vs. contemporary attacks How have bad-guy methods changed? What motivates them now?

Documents
THE ZONES OF REGULATION®ucpofmaine.org/.../2015/06/lesson-12-zones-of-regulation.pdfthinking that is putting them in the Yellow Zone. Ask them to call on Superflex to help them defeat

THE ZONES OF REGULATION®ucpofmaine.org/.../2015/06/lesson-12-zones-of-regulation.pdfthinking that is putting them in the Yellow Zone. Ask them to call on Superflex to help them defeat

Documents
One Glitch to Rule Them All: Fault Injection Attacks

One Glitch to Rule Them All: Fault Injection Attacks

Documents
Defeat Dyslexia

Defeat Dyslexia

Business
Cyber-Attacks: Why They Happen and How to Stop Them (#CyberSecurityNE Slides)

Cyber-Attacks: Why They Happen and How to Stop Them (#CyberSecurityNE Slides)

Technology
Byzantine Empire - CVmrsburrowsroom24.weebly.com/uploads/3/7/7/9/.../dbq... · 0 2011 The DBQ project Rome Early Attacks on Constantinople Byzantines defeat Persians and Avars, 626

Byzantine Empire - CVmrsburrowsroom24.weebly.com/uploads/3/7/7/9/.../dbq... · 0 2011 The DBQ project Rome Early Attacks on Constantinople Byzantines defeat Persians and Avars, 626

Documents
Types of Cyber-Attacks and How to Prevent Them · protections by instigating attacks from the inside. Also, employees are can lose mobile devices or expose them to breach when they

Types of Cyber-Attacks and How to Prevent Them · protections by instigating attacks from the inside. Also, employees are can lose mobile devices or expose them to breach when they

Documents
Web Security School Lesson 2 Web attacks and how to defeat them

Web Security School Lesson 2 Web attacks and how to defeat them

Documents
IED Defeat

IED Defeat

Documents
CLEAN DEFEAT

CLEAN DEFEAT

Documents
DDoS Attacks and How to Mitigate Them

DDoS Attacks and How to Mitigate Them

Business
On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis

On the Use of Masking to Defeat Power-Analysis Attacks ... · Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd 1/32. 2/32 Outline Power-Analysis

Documents
Defeat Degeneration

Defeat Degeneration

Documents
3 Enablers of Successful Cyber Attacks and How to Thwart Them

3 Enablers of Successful Cyber Attacks and How to Thwart Them

Technology
Social Network Supermarkets and How to Defeat Them

Social Network Supermarkets and How to Defeat Them

Technology
DEFEAT - ASELSAN

DEFEAT - ASELSAN

Documents
DEFEAT: ORBONNE -

DEFEAT: ORBONNE -

Documents
An Analysis of Adversarial Attacks and Defenses on Autonomous … · can effectively defend against different attacks, none of them are able to provide adequate protection against

An Analysis of Adversarial Attacks and Defenses on Autonomous … · can effectively defend against different attacks, none of them are able to provide adequate protection against

Documents
If adware attacks, how to defeat it

If adware attacks, how to defeat it

Software