By Dan Cornell
I will be teaching a one-day course on Software Security Remediation at AppSec USA 2010 on September 7th. The course fee is only $675 - click here to register.
There are lots of courses that teach you how to build secure software from the ground up. There are also lots of courses that will teach you how to assess the security of existing software. This course is unique because it focuses on a HUGE problem all organizations have: dealing with a large number of identified vulnerabilities in deployed code.
Course Description:
This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Duration: 1 day
Primary Audience: Software developers
Secondary Audience: Project managers, application security testers, quality assurance testers
Prerequisites: Experience developing enterprise applications in Java or .NET, knowledge of software and application security topics.
Syllabus:
1. Introduction and Background
2. Structure of Remediation Projects
a. Inception
b. Planning
c. Execution
3. Virtual Patching
a. Overview
b. Applicability
c. Approaches
4. Inception in Detail
a. Identifying stakeholders
b. Setting goals
5. Exercise: Fixing SQL Injection Vulnerabilities
a. String SQL Injection
b. Integer SQL Injection
6. Planning in Detail
a. Calculating risk
b. Determining fix approaches and confirmation tests
c. Calculating level of effort
i. Technical vulnerabilities
ii. Logical vulnerabilities
d. Scheduling
i. Waterfall methodologies
ii. Agile methodologies
7. Exercise: Fixing Cross-Site Scripting (XSS) Vulnerabilities
a. Reflected XSS
b. Stored XSS
c. DOM-based XSS
8. Execution in Detail
a. Fixing vulnerabilities
b. Confirming fixes
c. Functional and regression testing
d. Deployment
9. Exercise: Fixing Authorization Vulnerabilities
a. Failure to restrict URL access
b. Insecure direct object reference
10. Remediation Metrics
a. What to track
b. Benchmarking versus emerging industry data
11. Exercise: Remediating Sample RiskEUtility Application
a. Inception
b. Planning
12. Conclusion and Final Questions
Here is the main training page for OWASP AppSec USA 2010 and you can click here to register.
Contact us for help fixing security issues you have identified in your applications.
--Dan
dan _at_ denimgroup.com
Comments