Title: Defensive Programming for PHP
Trainer: Mike Doyle
When: October 22nd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $245, includes meals
Abstract:
This full-day course helps PHP developers understand the features and specifics of the platform that can potentially introduce risks. The course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications.
PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.
The features and specifics covered by this course include (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Defensive techniques covered by this course include the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery prevention, transport security, and techniques for the prevention of injection attacks.
This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:
Labs and Demonstrations
Two labs guide the student through secure configuration and remediation of an insecure PHP application. These labs are provided as an Oracle VirtualBox VM running a typical LAMP stack with configuration management provided by Puppet. A variety of supplemental open source development and security tools are provided on the VMs. Students who wish to participate are encouraged to bring their own laptops with Oracle VirtualBox. Students may wish to collaborate in pairs or small groups.
There are also two interactive demonstrations during which the PHP application is exploited to show directory traversal, information leakage, and SQL injection. Cost is $245.
Title: Secure Developer Training: OWASP Top 10++
Trainer: Matt Tesauro
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals
Abstract:
The Secure Development Training is a two-day (16 hour) instructor lead course that covers a variety of topics including the OWASP Top 10 Web Application Security Vulnerabilities, Threat Modeling, Basic Security Theory and Encryption. The course includes hands-on labs, interactive exercises and group discussion driven exercises. Special attention is given to mitigation of vulnerabilities in the lab application, particularly at design time or during initial application development.
Real-world examples drawn from the pen testing experience of the instructor are used to demonstrate how minor vulnerabilities can be chained into surprising compromises. The goal of this course is to increase the security awareness and experience among develops with the subsequent result of producing increasingly rugged code going forward. Additional information covering the gambit of resources available to developers from OWASP is interwoven into the course. When complete with the course, attendees should have increased their security foo substantially.
The lab application is written in Python but the training will be programming language agnostic. Cost is $495.
Title: Securing Mobile Devices and Applications
Trainer: David Lindner
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals
Abstract:
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.
Title: Defensive Programming for JavaScript & HTML5
Trainer: Ksenia Dmitrieva
When: October 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $245, includes meals
Abstract:
Understand JavaScript and HTML5 Features to Secure Your Client-side Code.
This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (DOM and SOP), XSS, CSRF, DOM manipulation, Sandboxing iframes, JavaScript Execution Contexts, CORS, Web Messaging, Web Storage, and JSON.
This course is structured into modules and includes code analysis and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications
• Implementing Secure Dataflow
• JSON-related Techniques
Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.
Labs and Demonstrations
If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with an insecure web application and students will participate in two interactive lab sessions where they will learn to fix issues related localStorage object, web messaging, sandbox attribute for iframes, input validation and output encoding, parsing JSON data, and cross-site scripting. There are also two interactive demonstrations showing how to tamper with client-side data, evade client-side filters and work with Firebug. The labs are not compulsory to get the full value of the course.
Title: Secure Developer Training: OWASP Top 10++
Trainer: Matt Tesauro
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals
Abstract:
The Secure Development Training is a two-day (16 hour) instructor lead course that covers a variety of topics including the OWASP Top 10 Web Application Security Vulnerabilities, Threat Modeling, Basic Security Theory and Encryption. The course includes hands-on labs, interactive exercises and group discussion driven exercises. Special attention is given to mitigation of vulnerabilities in the lab application, particularly at design time or during initial application development.
Real-world examples drawn from the pen testing experience of the instructor are used to demonstrate how minor vulnerabilities can be chained into surprising compromises. The goal of this course is to increase the security awareness and experience among develops with the subsequent result of producing increasingly rugged code going forward. Additional information covering the gambit of resources available to developers from OWASP is interwoven into the course. When complete with the course, attendees should have increased their security foo substantially.
The lab application is written in Python but the training will be programming language agnostic. Cost is $495.
Title: Securing Mobile Devices and Applications
Trainer: David Lindner
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals
Abstract:
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.
