Application Security Audit Fault Injection Model, Fuzz Generators & Static Code Analysis. Training Brochure

Similar documents
EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Adobe Systems Incorporated

Penetration Testing in Romania

Effective Software Security Management

Penetration testing & Ethical Hacking. Security Week 2014

Hackers are here. Where are you?

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

EC-Council Certified Security Analyst (ECSA)

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Hackers are here. Where are you?

05.0 Application Development

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Technology Approved Certifications

(BDT) BDT/POL/CYB/Circular

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Web App Security Audit Services

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Analyze. Secure. Defend. Do you hold ECSA credential?

NETWORK PENETRATION TESTING

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Information Systems Security Certificate Program

ASU Web Application Security Standard

Information Security Services

! Resident of Kauai, Hawaii

Newsletter - September T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Web Application security testing: who tests the test?

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Professional Services Overview

InfoSec Academy Pen Testing & Hacking Track

90% of data breaches are caused by software vulnerabilities.

Please Note: Temporary Graduate 485 skills assessments applicants should only apply for ANZSCO codes listed in the Skilled Occupation List above.

Web Application Security

Web application security: automated scanning versus manual penetration testing.

Network Security Audit. Vulnerability Assessment (VA)

Cyber Security Operations Associate

2015 Vulnerability Statistics Report

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

Manual Penetration Testing for ContractPal

MS Information Security (MSIS)

DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES

The Top Web Application Attacks: Are you vulnerable?

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Cutting Edge Practices for Secure Software Engineering

Common Security Vulnerabilities in Online Payment Systems

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

CYBER SECURITY TRAINING SAFE AND SECURE

Rational AppScan & Ounce Products

An approach to Web Application Penetration Testing. By: Whiskah

Secure Development Lifecycle. Eoin Keary & Jim Manico

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Application Security Testing. Generic Test Strategy

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Essential IT Security Testing

ISSECO Syllabus Public Version v1.0

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Australian Computer Society ANZSCO ICT Code descriptions v Further updates will be issued in

A Decision Maker s Guide to Securing an IT Infrastructure

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Ethical Hacking Penetrating Web 2.0 Security

Application Security Best Practices. Wally LEE Principal Consultant

Application Security Testing

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

InfoSec Academy Application & Secure Code Track

Training Course ECSA/LPT

SAST, DAST and Vulnerability Assessments, = 4

Software Development: The Next Security Frontier

Application Security in the Software Development Lifecycle

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Bellevue University Cybersecurity Programs & Courses

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Using Foundstone CookieDigger to Analyze Web Session Management

The Next Generation of Security Leaders

Seven Practical Steps to Delivering More Secure Software. January 2011

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

EC-Council. Certified. Internet Marketing Practitioner. Unravel the Mystery of. Internet Marketing C IMP

Application Code Development Standards

Interactive Application Security Testing (IAST)

Acano solution. Security Considerations. August E

Using Nessus In Web Application Vulnerability Assessments

SCADA SYSTEMS AND SECURITY WHITEPAPER

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia

Software Testing Certifications

Social Media Security Training and Certifications. Stay Ahead. Get Certified. Ultimate Knowledge Institute. ultimateknowledge.com

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Transcription:

Application Security Audit Fault Injection Model, Fuzz Generators & Static Code Analysis Training Brochure

Synopsis This Four-day practical training is designed for Information Systems auditors, application developers, risk as well as compliance auditors who need to update their technical and operational knowledge to audit technologies relating to automated web based systems. We will discuss the audit and controls required when auditing Internet and Intranet based Web Applications. In addition, you will learn techniques for auditing payment gateways and performing static code analysis including manual and automated review methods. Then you will turn your attention to auditing the management of application transaction activity, controls, and procedures. You will master techniques that can be applied to web-based applications, distributed processing, and client/server-based applications during the audit training. You will gain field-tested auditing tools for testing, identifying, recording, assessing and evaluating web application controls effectively. Various detailed web application audit case studies will provide step-by-step reinforcement of what you have learned, and you will leave this training with realworld examples of web application audit program, testing techniques, audit findings and methodologies. Course Objectives The course will Provide training on audit and security assessment testing practices of web applications Provide an overall description of the tools and methodologies used in web application audit and static code analysis (source code review) Explain and demonstrate the latest technologies used for audit and security assessment tests along with demonstrable and practical examples 2

Delivery As with all of our audit and security assessment courses, this course makes extensive use of practical exercises and draws heavily on the company's experience in performing security assessment tests and security audits as well as implementing enterprise security solutions. This is an instructor led course. It is primarily designed as a publicly scheduled course for corporate organisations. It can also be delivered as in-house / onsite training for corporate groups. Cost Onsite: N 1,500,000 (exclusive of 5% VAT) for any number of participants. 3

Course Description PART 1: Application Architectural Audit Using Fault Injection Model Module 1: Web Application (In)security explores the current state of security in web applications on the Internet today. Module 2: Web Application Architecture Review examines applications employed in a tiered architecture with the consequence that a failure to segregate different tiers properly often leaves an application vulnerable, enabling an attacker who has found a defect in one component to quickly compromise the entire application. Module 3: Core Defense Mechanisms describes the key security mechanisms that web applications employ to address the fundamental problem that all user input is untrusted. 4

Module 4: Web Application Technologies provides a primer on the key technologies that you are likely to encounter when attacking / assessing web applications. Module 5: Web Application Profiling delves into attack surface mapping and application information gathering techniques and attack plan formulation. Module 6: Bypassing Client-Side Controls examines one of the first areas of actual web application vulnerability, which arises when an application relies upon controls implemented on the client side for its security. Module 7: Auditing Authentication examines the various functions by which applications gain assurance of the identity of their users. This includes the main login function and also the more peripheral authentication related functions such as user registration, password changing, and account recovery. 5

Module 8: Auditing Session Management examines the mechanism by which most applications supplement the stateless HTTP protocol with the concept of a stateful session, enabling them to uniquely identify each user across several different requests. Module 9: Auditing Access Controls examines the ways in which applications actually enforce access controls and its relationship with authentication and session management mechanisms. This module also looks at ways in which these access controls can be broken and fixed. Module 10: Web Application Logic Audit examines a significant, and frequently overlooked area of every application s attack surface: the internal logic and design which it carries out to implement its functionality. 6

PART 2: Application Architectural Audit Using The Fuzzing Model (Fuzz Generators) Module 11: Code Injection Audit covers a large category of related vulnerabilities, which arise when applications embed user input into interpreted code in an unsafe way. SQLi, RFI and LFI are all covered. Module 12: Path Traversal Audit examines an all important category of vulnerabilities that arise when user input is passed to file system APIs in an unsafe way, enabling an attacker to retrieve or modify arbitrary files on the web server. Module 13: Audit Users Related Vulnerabilities investigates an area of related vulnerabilities which arise when defects within a web application can enable a malicious user of the application to attack other users and compromise them in various ways.. Vulnerabilities such as XSS and Session Fixation and will be discussed. 7

Module 14: Web Server Audit describes various ways in which you can target a web application by targeting the web server on which it is running. Module 15: Web Application Audit Methodology describes a comprehensive and structured collation of all the procedures and techniques described in the course and are organized and ordered according to the logical dependencies between tasks. This methodology can be used as a complete checklist and work plan when carrying out a web application security assessment. 8

PART 3: Software Security Review Using Static Code Analysis Module 16: Introduction to Static Code Analysis introduces basic static code analysis for auditors Module 17: Methods of Static Analysis describes a comprehensive approach and methods used in static code analysis Module 18: The Code Review Process delves into various steps involved in the code review process especially for large, monolithic and complex codebase Module 19: Manual Methods of Code Review covers various methods of manual source code audit including top down code analysis, control flow graphs and data flow analysis Module 20: SDLC & Automated Code Review examines the secure software development lifecycle as well as various tools used for white box automating code reviews. This section will include code entry point and candidate points as well as source to sink taint propagation method of code review Module 21: Enterprise Security Application Programming Interface provides a unique perspective to secure coding by examining the OWASP Enterprise Security API and its utilization in mitigating inherent risks in multiple language codebase. 9

Profile of Trainers Adewale Obadare Obadare Peter Adewale is a well recognized information security professional with numerous successful engagements to his credit in Nigeria. His skills and experience span Information Security, IT Governance,Risk Management,Compliance, Computer Forensics, and Business Continuity. He has worked as I.T Security auditor, vulnerability expert and system integrator at various organizations. His professional qualifications include: CHARTERED I T PROFESSIONAL (CITP) ISO 27001 LEAD IMPLEMENTER ISO 27001 LEAD AUDITOR BS 25999 LEAD AUDITOR LICENSED PENETRATION TESTER (LPT) EC- COUNCIL SECURITY ANALYST (ECSA) CERTIFIED ETHICAL HACKER (CEH) QUALYSGUARD CERTIFIED SPECIALIST (QCS) CISCO CERTIFIED INTERWORK EXPERT (CCIE WRITTEN) SECURING NETWORKS WITH ASA ADVANCE (SNAA) CISCO CERTIFIED DESIGN PROFESSIONAL (CCDP) CISCO CERTIFIED NETWORK PROFESSIONAL (CCNP) MICROSOFT CERTIFIED PROFESSIONAL (MCP) 10

Oluseyi Akindeinde Olu has over 12 years experience working in the IT and information security arena, but has spent the better part of the last few years exploring the security issues faced by Electronic Funds Transfer (EFT) and Financial Transaction Systems (FTS). He has presented the outcome of his research work at several conferences; including the Information Security Society of Africa (ISS), the forum of the Committee of Chief Inspectors of Banks in Nigeria, the apex bank - Central Bank of Nigeria (CBN) as well as 15 of the 24 financial institutions in Nigeria. In his professional life, Seyi, as he is otherwise called, sits on the board of two companies. In addition to being the CTO, he holds a vital position as the Senior Information Security Analyst at Digital Encode Ltd an information security advisory and assurance company, not only performing various technical security assessments and digital forensics but also providing technical consulting in the field of security design and strategic technology reviews for top notch local clients. He has over the years developed an in-depth knowledge of security modeling which has hitherto improved his ability to initiate, perform and deliver world class enterprise security services that add veritable value to the corporate goals and objectives of organizations. Olu is a research writer having written two books on Information Security Analytics. He is also the author of the Open Source Security Assessment Report (OSSAR) - a model framework for reporting and presenting enterprise security assessment findings. He is a speaker on matters bordering on information security, and has presented technical papers on a wide range of IT security and risk management topics for a number of high profile financial service providers at different retreats and forums. Furthermore, he has delivered several information security and ethical hacking training courses to delegates from diverse industries including finance, manufacturing, oil and gas, telecoms as well as State and Federal Government Agencies. He has administered security analysis and penetration testing courses to representatives of the National Assembly, Defense Intelligence Agency (DIA) and Office of the National Security Agency (NSA) through the annual Hacker Counterintelligence Program (HACOP) where he s been involved as a resident trainer and technical consultant for the last couple of years. Olu graduated with a BSc in Civil Engineering from the University of Lagos in the year 2000. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information