WEB APPLICATION SECURITY TESTING Cpyright 2012 ps_testware 1/7
Intrductin Nwadays every rganizatin faces the threat f attacks n web applicatins. Research shws that mre than half f all data breaches are initiated in web applicatins. The gals f these attacks are infrmatin theft r abuse f resurces. The reasns these attacks are successful can be brken dwn in technical and human causes. In this neday curse, all yur emplyees are trained t becme aware f the prblems and dangers related t the security f web applicatins and shwn the basic steps hw t test fr them. Intended audience This curse is intended fr every persn in an rganizatin invlved in, r just curius abut, testing the security f web applicatins, its ptential impacts, and pssible slutins. While all develpers need t knw the basics f web applicatin security testing, applicatin security testers need t knw all the advanced techniques fr finding and diagnsing security prblems in web applicatins. Althugh the same techniques can be used as fr functinal testing, testing web applicatin security requires special skills and insights f testers and develpers. Participants f this curse will learn hw t scpe a security test and priritize the wrk, understand the benefits and drawbacks f bth manual and autmated tls, knw the techniques available and when t apply them, and learn hw t determine the real risk value. In rder t achieve these gals, students will assess the OWASP Tp Ten security areas within a real wrld applicatin. This interactive curse is taught by an experienced web applicatin security tester. Prerequisites Althugh n prir experience with r knwledge abut web applicatin security is necessary, a basic understanding f the mechanisms f web applicatins and a basic awareness f web related security is assumed. On cmpletin participants will The aim f this curse is t create awareness in the field f web applicatin security testing. During the curse, interactin and discussin are encuraged. After this training, yur emplyees are better able t: Understand the specific prblems in web applicatins Understand and describe the OWASP tp 10 vulnerabilities Understand the basics f testing fr vulnerabilities in web applicatins Scpe a security test and priritize the wrk Understand the benefits and drawbacks f bth manual and autmated tls Understand the techniques available and when t apply them Determine the real risk value f web applicatin vulnerabilities Cpyright 2012 ps_testware 2/7
Curse utline (1 day) includes the fllwing mdules: Understanding web applicatins This mdule explains why security shuld be cnsidered when develping r deplying web applicatins. It identifies the lcatins f current security prblems with web applicatins. During the intrductin a definitin f web applicatin security is given. Trends that are influencing the current state f web applicatin insecurity are als explained. This mdule will prvide a high level verview f the wrking f web applicatins: Web applicatins explained HTTP cmmunicatin essentials Client-side lgic HTML, CSS, Javascript Rich Internet Applicatins Brwsers and Safe Surfing Sniffing and the prblems f wireless netwrks Authenticatin, Authrizatin and Sessins management Authenticatin mechanisms Basic / Digest authenticatin Frm based authenticatin Other frms f authenticatin Sessin management Misunderstandings abut security f web applicatins Firewalls and netwrk security Authenticatin and access cntrl Encrypted cnnectins and data encryptin Web applicatin vulnerabilities explained In rder t successfully test the security f a system an understanding f the ptential weak pints is essential. The OWASP tp 10 represents the areas where security mistakes are mst frequently made. These areas can be used as a framewrk when evaluating the security f a Web applicatin and allw yu t fcus n the key design and implementatin chices that mst affect yur applicatin's security. This mdule will prvide n a high level hw t test the mst cmmn prblems in web applicatins: Man-in-the-middle attacks Tls fr testing Brwsers, Prxies Autmated Vulnerability Scanners and specialized tls OWASP Tp 10 Input validatin errrs A1 Crss-site scripting (XSS) A2 SQL injectin A10 unvalidated redirects and frwards Brken identity management A3 brken authenticatin and sessin management A5 crss-site request frgery (CSRF) A4 insecure direct bject references A8 Failure t restrict URL access Implementatin errrs Cpyright 2012 ps_testware 3/7
A6 security miscnfiguratin A7 insecure cryptgraphic strage A9 insufficient transprt layer prtectin During this mdule demnstratins will be given by attacking a deliberately insecure applicatin and exercises will be dne n real-wrld applicatins. Testing web applicatins Althugh the same techniques as used fr functinal testing are applicable, additinal skills are needed in web applicatin security testing. Knwing the vulnerabilities, hw t detect them, and what tls t use, next t a risk-based apprach are essential fr a successful test executin. This mdule presents a high-level verview f varius testing techniques that can be emplyed when building a testing prgram. Differences with functinal testing Black-bx vs white-bx Test Methdlgy and Apprach Structured testing Risk-based testing Explratry testing Integratin int the sftware develpment lifecycle; when t test? Waterfall based envirnments Agile based envirnments Surces f infrmatin Hw t cntinue yur training Web applicatin security testing takes time t learn and needs cnstant practice. Nt many peple have access t web applicatins like nline bk stres r nline banks that can be used t scan fr vulnerabilities. In additin, security prfessinals frequently need t test tls against a platfrm knwn t be vulnerable t ensure that they perfrm as advertised and t train in using them. All f this needs t happen in a safe and, mre imprtant, legal envirnment. Even if yur intentins are gd, yu shuld never attempt t find vulnerabilities withut permissin. This mdule will prvide ptins fr setting up a safe testing envirnment and prvide surces fr further training (Virtualizatin, Tls, Offline & Online training applicatins Cpyright 2012 ps_testware 4/7
Price infrmatin & curse details Curse hurs: 9:00 t 17:30 and lunch breaks frm 12:30 t 13:30; ps_testware prvides laptps and USB sticks fr each participant; Curse fee: EUR 595,- Includes handuts, refreshments and lunch. Grup discunt: 3rd participant (-5%), 4th participant (-10%), 5th and 6th participant (-15%) Flemish participants can btain a 50% reductin via the KMOprtefeuille by using ur accreditatin number DV.O104235. Mre inf: www.km-prtefeuille.be Cpyright 2012 ps_testware 5/7
REGISTRATION FORM Name f curse: Curse lcatin: Curse Date(s): Curse Fee: x = Exam Fee: TOTAL: = N/A x = Registrant(s): Full name Email Phne Exam N/A N/A N/A Organisatin: Cntact persn (if nt registrant): Phne N: Cntact Email Address: Invice address: Our reference number: VAT number: I have read, understd and agreed t ps_testware Terms and Cnditins, related t curses, as utlined in the accmpanying dcument. Payment will be dne based n the received invice fr this registratin. Signature: Date: Please fax this cmpleted t either: Fax: +32-16-35.93.88 fr curses being held in Belgium Fax: +33-3-59.30.42.02 fr curses being held in France Email: inf@pstestware.cm Cpyright 2012 ps_testware 6/7
Terms & Cnditins ps_testware curses A signed registratin frm, returned t ne f the ps_testware ffices indicates that yu have read and agreed t the terms and cnditins set ut belw: 1. A place n any curse is reserved nly upn receipt f a signed curse registratin frm accmpanied by a purchase rder (if applicable) fr an amunt equal t the quted curse fee. 2. Full payment fr all curse activities will be dne accrding payment cnditins as will be indicated n the invice. 3. ps_testware reserves the right t cancel r re-schedule curses. In the event f such cancellatin all paid fees will be credited twards the next available curse. 4. In the event f custmer cancellatin, 25% f curse fee will be inviced if registratin is cancelled within 1 mnth befre the curse and 100% f curse fee will be inviced if registratin is cancelled within tw weeks befre the curse. Curse participants can be replaced at n cst. There is n refund pssible fr the exam fee in case f (exam) cancellatin. 5. Specific curse details (intrductin, intended audience, results, curse utline, time table) can be fund n ur website (www.pstestware.cm services - training) r in the applicable curse flyer; 6. Our curses can als be rganized n demand, n site at yur premises r nline; 7. All curses include lunch and refreshments; 8. Curse material and exams are in English. Curses are given in the applicable lcal language. Hwever when nt all participants speak the same language, then the English language is used; 9. All prices are excluding VAT; 10. The fllwing grup discunt is applicable: 3rd participant (-5%), 4th participant (-10%), 5th and 6th participant (-15%); 11. In case f the ISTQB curses, an exam (certificatin) is chsen t be part f the curse, then the exam fee(s) requires t be part f the ttal quted curse fee. The exam fee fr Fundatin is 200,00 and fr Advanced is 250,00; 12. Public curse dates can be fund n ur website www.pstestware.cm services training; Cpyright 2012 ps_testware 7/7