Web Application Security Testing
Instructor: Bill Sempf
Bill Sempf will be joining us to teach a dynamic course to help us think like an attacker and give us all the coding tips we need to stop them cold in their tracks. Even the most experienced developers are sure to pick up some new tips and tricks, this hands-on day will have something for everyone. Before we start, there will be some setup for labs and tools – so plan some time in advance and bring your Windows, Macintosh, or Linux laptop!
Learning Objective and Outcomes
- Introduction: Problems and solutions as they relate to application security and principles of application security
- Demo a purposefully vulnerable web application, and work with tools
- Authentication: Covers all aspects of secure authentication, including building secure login screens, password storage, secure interactions between sites, and an overview of many other topics.
- Authorization: Basic authorization best practices
- Information Disclosure: How your site will give information to the attackers, and what to do about it
- Injection: SQL, command, LDAP injection, just to name a few. Sending your commands to a backend system
- Browser attacks: Finding and exploiting cross site scripting vulnerabilities
Student Requirements and Prerequisites
- Basic understanding of HTTP protocols and web applications
What Students Should Bring
- A Linux, Mac or Windows laptop. Install VirtualBox
Bill Sempf is an author and application security architect, experienced in application penetration testing, tools creation, and building relationships with application developers. His work on mobile applications is published by CIO magazine. He has presented his original security research to BlackHat EU, DerbyCon, and OWASP AppSec USA. He developed TigerTrax threat intelligence modules in Python to gather specific information from the Facebook Open Graph, collect defined information from search APIs, and parse large text corpus for specific grammar phrases. He also created a comprehensive set of Cross-Site Scripting vectors for use in testing service layers for XSS using Burp Suite’s Intruder. He has experience of testing large scale web applications for Fortune 100 organizations using Burp Suite, IBM AppScan, Metasploit, Kali Linux and many other tools. Bill is assisting the Information Technology department at Columbus State Community College with the creation of their CyberSecurityCurriculum as an industry specialist. Bill is an instructor for the GenCyber program, a NSA funded cybersecurity education program for high school teachers.
Date and Time
November 1, 2019
- Morning session: 8:30 AM to 12 at noon
- Lunch break: 12:00 to 1:00 PM
- Afternoon session: 1:00 PM to 4:30 PM
Go to registration page to register for the training course and select “Ohio LinuxFest Institute Professional Pass”. During the registration process, you will get an option to select your training program.