WEB APPLICATION SECURITY TESTING



Similar documents
Project Startup Report Presented to the IT Committee June 26, 2012

Getting Started Guide

RECOMMENDATIONS SECURITY ONLINE BANK TRANSACTIONS. interests in the use of IT services, such as online bank services of Société Générale de Banques au

Disk Redundancy (RAID)

Dec Transportation Management System. An Alternative Traffic Solution for the Logistics Professionals

Serv-U Distributed Architecture Guide

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

In addition to assisting with the disaster planning process, it is hoped this document will also::

Aim The aim of a communication plan states the overall goal of the communication effort.

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

Basics of Supply Chain Management

Completing the CMDB Circle: Asset Management with Barcode Scanning

Merchant Processes and Procedures

Considerations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag

Partnership for better solutions DATALAB DEVELOPER PROGRAM

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

The HR Coach Certification Student Information Sheet

REQUEST FOR PROPOSAL FOR SHAREPOINT LEGISLATIVE MANAGEMENT SERVICES

THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6

Hybrid Course Design and Instruction Guidelines

Why Can t Johnny Encrypt? A Usability Evaluation of PGP 5.0 Alma Whitten and J.D. Tygar

The user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.

Service Request Form

OR 2) Implement and customize an off the shelf product that would suit the requirements

efusion Table of Contents

Using Sentry-go Enterprise/ASPX for Sentry-go Quick & Plus! monitors

April 29, 2013 INTRODUCTION ORGANIZATIONAL OVERVIEW PROJECT OVERVIEW

The Cost Benefits of the Cloud are More About Real Estate Than IT

The AppSec How-To: Choosing a SAST Tool

CTF-ENDORSED NF CLINICS: PRINCIPLES OF OPERATION

Symantec User Authentication Service Level Agreement

Counselor in Training Program

High Speed Internet Services

Course Syllabus PADM Management of Health Care Agencies College of Public Service and Urban Affairs Tennessee State University

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents

Support Services. v1.19 /

UC4 AUTOMATED VIRTUALIZATION Intelligent Service Automation for Physical and Virtual Environments

Occupational Therapy

Enrollee Health Assessment Program Implementation Guide and Best Practices

WEBSITE MAINTENANCE CONTRACT

expertise hp services valupack consulting description security review service for Linux

Systems Load Testing Appendix

White Paper for Mobile Workforce Management and Monitoring Copyright 2014 by Patrol-IT Inc.

MASTER OF SCIENCE IN EDUCATION IN VISUAL ARTS EDUCATION (050A)

Helpdesk Support Tickets & Knowledgebase

Digital Signage Proposal Prepared For:

Succession Planning & Leadership Development: Your Utility s Bridge to the Future

Serv-U Distributed Architecture Guide

IT Help Desk Service Level Expectations Revised: 01/09/2012

GUIDANCE FOR BUSINESS ASSOCIATES

Proposal for Development & Implementation of. Integrated Website Solution. For. Tej Shree. By: The Web Creation Delhi, INDIA

Corporate Profile, 2014

2008 BA Insurance Systems Pty Ltd

FOCUS Service Management Software Version 8.5 for Passport Business Solutions Installation Instructions

CSC IT practix Recommendations

Lumension Connect: Online Customer Community FAQs

Magenta HR in partnership with breath ehr

Mobile Workforce. Improving Productivity, Improving Profitability

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days

US/EU Virtual Channel Partner Certification

Using PayPal Website Payments Pro UK with ProductCart

The Importance of Market Research

Copyright 2013, SafeNet, Inc. All rights reserved. We have attempted to make these documents complete, accurate, and

Colorado Gardener Certificate Training 2015 Application and Training Information

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Mobile Telecom Expense Management

QBT - Making business travel simple

Getting Started Guide

Client Website Proposal, Quotation and Agreement (as dated)

Integrating With incontact dbprovider & Screen Pops

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

Required Articles Cervone, H. F. (2004). How not to run a digital library project. OCLC Systems & Services, OCLC Syst. Serv. (UK), 20(4),

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

Request for Proposal (RFP) RFP HQ Training Session and Leadership Program Development Consulting Services

COE: Hybrid Course Request for Proposals. The goals of the College of Education Hybrid Course Funding Program are:

Security in Business and Applications. Madison Hajeb Stefan Hurst Benjamin Von Slade

How To Install Fcus Service Management Software On A Pc Or Macbook

Request for Proposal Technology Services

WHITEPAPER Reference Architectures for Portal-based Rich Internet Applications

Request for Proposal. Saskatchewan Arts Board. Database Development. RFP Reference Number S AB-ADMIN001. Release Date Februar y 9, 2016

Chris Chiron, Interim Senior Director, Employee & Management Relations Jessica Moore, Senior Director, Classification & Compensation

COMPREHENSIVE SAFETY ASSESSMENT INSTRUCTIONS for STUDY ABROAD PROGRAMS

HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway

Infor EAM Mobility Initiative

CallRex 4.2 Installation Guide

Interactive Catchment Plan Project Brief. Background to the organisation. How will we achieve this? What is a rivers trust?

Online Learning Portal best practices guide

Data Abstraction Best Practices with Cisco Data Virtualization

Web Development the Next Steps

HIPAA HITECH ACT Compliance, Review and Training Services

HSBC Online Home Loan Application Process

OnX is uniquely positioned to help your organization rapidly gain the necessary skills to enable the successful deployment of SDN.

CorasWorks v11 Essentials Distance Learning

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Army DCIPS Employee Self-Report of Accomplishments Overview Revised July 2012

NC3A SOA Techwatch Day Call for Presentations

For both options: Please consult the Unisa website for admission requirements

How to Reduce Project Lead Times Through Improved Scheduling

Transcription:

WEB APPLICATION SECURITY TESTING Cpyright 2012 ps_testware 1/7

Intrductin Nwadays every rganizatin faces the threat f attacks n web applicatins. Research shws that mre than half f all data breaches are initiated in web applicatins. The gals f these attacks are infrmatin theft r abuse f resurces. The reasns these attacks are successful can be brken dwn in technical and human causes. In this neday curse, all yur emplyees are trained t becme aware f the prblems and dangers related t the security f web applicatins and shwn the basic steps hw t test fr them. Intended audience This curse is intended fr every persn in an rganizatin invlved in, r just curius abut, testing the security f web applicatins, its ptential impacts, and pssible slutins. While all develpers need t knw the basics f web applicatin security testing, applicatin security testers need t knw all the advanced techniques fr finding and diagnsing security prblems in web applicatins. Althugh the same techniques can be used as fr functinal testing, testing web applicatin security requires special skills and insights f testers and develpers. Participants f this curse will learn hw t scpe a security test and priritize the wrk, understand the benefits and drawbacks f bth manual and autmated tls, knw the techniques available and when t apply them, and learn hw t determine the real risk value. In rder t achieve these gals, students will assess the OWASP Tp Ten security areas within a real wrld applicatin. This interactive curse is taught by an experienced web applicatin security tester. Prerequisites Althugh n prir experience with r knwledge abut web applicatin security is necessary, a basic understanding f the mechanisms f web applicatins and a basic awareness f web related security is assumed. On cmpletin participants will The aim f this curse is t create awareness in the field f web applicatin security testing. During the curse, interactin and discussin are encuraged. After this training, yur emplyees are better able t: Understand the specific prblems in web applicatins Understand and describe the OWASP tp 10 vulnerabilities Understand the basics f testing fr vulnerabilities in web applicatins Scpe a security test and priritize the wrk Understand the benefits and drawbacks f bth manual and autmated tls Understand the techniques available and when t apply them Determine the real risk value f web applicatin vulnerabilities Cpyright 2012 ps_testware 2/7

Curse utline (1 day) includes the fllwing mdules: Understanding web applicatins This mdule explains why security shuld be cnsidered when develping r deplying web applicatins. It identifies the lcatins f current security prblems with web applicatins. During the intrductin a definitin f web applicatin security is given. Trends that are influencing the current state f web applicatin insecurity are als explained. This mdule will prvide a high level verview f the wrking f web applicatins: Web applicatins explained HTTP cmmunicatin essentials Client-side lgic HTML, CSS, Javascript Rich Internet Applicatins Brwsers and Safe Surfing Sniffing and the prblems f wireless netwrks Authenticatin, Authrizatin and Sessins management Authenticatin mechanisms Basic / Digest authenticatin Frm based authenticatin Other frms f authenticatin Sessin management Misunderstandings abut security f web applicatins Firewalls and netwrk security Authenticatin and access cntrl Encrypted cnnectins and data encryptin Web applicatin vulnerabilities explained In rder t successfully test the security f a system an understanding f the ptential weak pints is essential. The OWASP tp 10 represents the areas where security mistakes are mst frequently made. These areas can be used as a framewrk when evaluating the security f a Web applicatin and allw yu t fcus n the key design and implementatin chices that mst affect yur applicatin's security. This mdule will prvide n a high level hw t test the mst cmmn prblems in web applicatins: Man-in-the-middle attacks Tls fr testing Brwsers, Prxies Autmated Vulnerability Scanners and specialized tls OWASP Tp 10 Input validatin errrs A1 Crss-site scripting (XSS) A2 SQL injectin A10 unvalidated redirects and frwards Brken identity management A3 brken authenticatin and sessin management A5 crss-site request frgery (CSRF) A4 insecure direct bject references A8 Failure t restrict URL access Implementatin errrs Cpyright 2012 ps_testware 3/7

A6 security miscnfiguratin A7 insecure cryptgraphic strage A9 insufficient transprt layer prtectin During this mdule demnstratins will be given by attacking a deliberately insecure applicatin and exercises will be dne n real-wrld applicatins. Testing web applicatins Althugh the same techniques as used fr functinal testing are applicable, additinal skills are needed in web applicatin security testing. Knwing the vulnerabilities, hw t detect them, and what tls t use, next t a risk-based apprach are essential fr a successful test executin. This mdule presents a high-level verview f varius testing techniques that can be emplyed when building a testing prgram. Differences with functinal testing Black-bx vs white-bx Test Methdlgy and Apprach Structured testing Risk-based testing Explratry testing Integratin int the sftware develpment lifecycle; when t test? Waterfall based envirnments Agile based envirnments Surces f infrmatin Hw t cntinue yur training Web applicatin security testing takes time t learn and needs cnstant practice. Nt many peple have access t web applicatins like nline bk stres r nline banks that can be used t scan fr vulnerabilities. In additin, security prfessinals frequently need t test tls against a platfrm knwn t be vulnerable t ensure that they perfrm as advertised and t train in using them. All f this needs t happen in a safe and, mre imprtant, legal envirnment. Even if yur intentins are gd, yu shuld never attempt t find vulnerabilities withut permissin. This mdule will prvide ptins fr setting up a safe testing envirnment and prvide surces fr further training (Virtualizatin, Tls, Offline & Online training applicatins Cpyright 2012 ps_testware 4/7

Price infrmatin & curse details Curse hurs: 9:00 t 17:30 and lunch breaks frm 12:30 t 13:30; ps_testware prvides laptps and USB sticks fr each participant; Curse fee: EUR 595,- Includes handuts, refreshments and lunch. Grup discunt: 3rd participant (-5%), 4th participant (-10%), 5th and 6th participant (-15%) Flemish participants can btain a 50% reductin via the KMOprtefeuille by using ur accreditatin number DV.O104235. Mre inf: www.km-prtefeuille.be Cpyright 2012 ps_testware 5/7

REGISTRATION FORM Name f curse: Curse lcatin: Curse Date(s): Curse Fee: x = Exam Fee: TOTAL: = N/A x = Registrant(s): Full name Email Phne Exam N/A N/A N/A Organisatin: Cntact persn (if nt registrant): Phne N: Cntact Email Address: Invice address: Our reference number: VAT number: I have read, understd and agreed t ps_testware Terms and Cnditins, related t curses, as utlined in the accmpanying dcument. Payment will be dne based n the received invice fr this registratin. Signature: Date: Please fax this cmpleted t either: Fax: +32-16-35.93.88 fr curses being held in Belgium Fax: +33-3-59.30.42.02 fr curses being held in France Email: inf@pstestware.cm Cpyright 2012 ps_testware 6/7

Terms & Cnditins ps_testware curses A signed registratin frm, returned t ne f the ps_testware ffices indicates that yu have read and agreed t the terms and cnditins set ut belw: 1. A place n any curse is reserved nly upn receipt f a signed curse registratin frm accmpanied by a purchase rder (if applicable) fr an amunt equal t the quted curse fee. 2. Full payment fr all curse activities will be dne accrding payment cnditins as will be indicated n the invice. 3. ps_testware reserves the right t cancel r re-schedule curses. In the event f such cancellatin all paid fees will be credited twards the next available curse. 4. In the event f custmer cancellatin, 25% f curse fee will be inviced if registratin is cancelled within 1 mnth befre the curse and 100% f curse fee will be inviced if registratin is cancelled within tw weeks befre the curse. Curse participants can be replaced at n cst. There is n refund pssible fr the exam fee in case f (exam) cancellatin. 5. Specific curse details (intrductin, intended audience, results, curse utline, time table) can be fund n ur website (www.pstestware.cm services - training) r in the applicable curse flyer; 6. Our curses can als be rganized n demand, n site at yur premises r nline; 7. All curses include lunch and refreshments; 8. Curse material and exams are in English. Curses are given in the applicable lcal language. Hwever when nt all participants speak the same language, then the English language is used; 9. All prices are excluding VAT; 10. The fllwing grup discunt is applicable: 3rd participant (-5%), 4th participant (-10%), 5th and 6th participant (-15%); 11. In case f the ISTQB curses, an exam (certificatin) is chsen t be part f the curse, then the exam fee(s) requires t be part f the ttal quted curse fee. The exam fee fr Fundatin is 200,00 and fr Advanced is 250,00; 12. Public curse dates can be fund n ur website www.pstestware.cm services training; Cpyright 2012 ps_testware 7/7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information