Web Application Security Testing

Web Application Security Testing

Instructor: Bill Sempf & Brian King

Overview

Bill Sempf & Brian King will be joining us to teach a dynamic course to help us think like an attacker and give us all the coding tips we need to stop them cold in their tracks. Even the most experienced developers are sure to pick up some new tips and tricks, this hands-on day will have something for everyone. Before we start, there will be some setup for labs and tools – so plan some time in advance and bring your Windows, Macintosh, or Linux laptop!

Learning Objective and Outcomes

  • Introduction: Problems and solutions as they relate to application security and principles of application security
  • Demo a purposefully vulnerable web application, and work with tools
  • Authentication: Covers all aspects of secure authentication, including building secure login screens, password storage, secure interactions between sites, and an overview of many other topics.
  • Authorization: Basic authorization best practices
  • Information Disclosure: How your site will give information to the attackers, and what to do about it
  • Injection: SQL, command, LDAP injection, just to name a few. Sending your commands to a backend system
  • Browser attacks: Finding and exploiting cross site scripting vulnerabilities

Student Requirements and Prerequisites

  • Basic understanding of HTTP protocols and web applications

What Students Should Bring

  • A Linux, Mac or Windows laptop. Install VirtualBox

Instructor Bios

Bill Sempf is an author and application security architect, experienced in application penetration testing, tools creation, and building relationships with application developers. His work on mobile applications is published by CIO magazine. He has presented his original security research to BlackHat EU, DerbyCon, and OWASP AppSec USA. He developed TigerTrax threat intelligence modules in Python to gather specific information from the Facebook Open Graph, collect defined information from search APIs, and parse large text corpus for specific grammar phrases. He also created a comprehensive set of Cross-Site Scripting vectors for use in testing service layers for XSS using Burp Suite’s Intruder. He has experience of testing large scale web applications for Fortune 100 organizations using Burp Suite, IBM AppScan, Metasploit, Kali Linux and many other tools. Bill is assisting the Information Technology department at Columbus State Community College with the creation of their CyberSecurityCurriculum as an industry specialist. Bill is an instructor for the GenCyber program, a NSA funded cybersecurity education program for high school teachers.

Brian “BB” King is a penetration tester at Black Hills Information Security, who tweets intermittently as @BBhacKing. He speaks at security conferences about the importance of clear communication and has given training for developers and QA testers at Codemash. Brian’s security career started in 2008 when his experience with QA testing led to a role on the then-new application security group at a large banking and payments organization. He helped to keep that team effective as it grew by writing standards and processes for testing, reporting, and working with developers, and by creating training modules for new security testers to follow. As the team grew, he created and delivered training to teams of developers who wanted to use vulnerability scanners themselves as part of their SDLC. He’s worked closely with those developers to help them find bugs, develop remediation strategies, and test again afterwards to make sure the fixes worked and also didn’t break anything else along the way. Brian believes that pentesting to find vulnerabilities in live systems is a pretty good way to make things safer. But another way – maybe a better one – is to work with the designers and developers so that security can be part of the mindset from the start.

Date and Time

November 1, 2019

  • Morning session: 8:30 AM to 12 at noon
  • Lunch break: 12:00 to 1:00 PM
  • Afternoon session: 1:00 PM to 4:30 PM

Registration

Go to registration page to register for the training course and select “Ohio LinuxFest Institute Professional Pass”. During the registration process, you will get an option to select your training program.