Software Security Remediation Course at OWASP AppSec USA: September 7th, 2010

I will be teaching a one-day course on Software Security Remediation at AppSec USA 2010 on September 7th.  The course fee is only $675 – click here to register.

There are lots of courses that teach you how to build secure software from the ground up.  There are also lots of courses that will teach you how to assess the security of existing software.  This course is unique because it focuses on a HUGE problem all organizations have: dealing with a large number of identified vulnerabilities in deployed code.

Course Description:

This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.

Duration:  1 day

 

Primary Audience: Software developers

 

Secondary Audience: Project managers, application security testers, quality assurance testers

Prerequisites: Experience developing enterprise applications in Java or .NET, knowledge of software and application security topics.

 

Syllabus:

1.Introduction and Background

2.Structure of Remediation Projects

a.Inception

b.Planning

c.Execution

3.Virtual Patching

a.Overview

b.Applicability

c.Approaches

4.Inception in Detail

a.Identifying stakeholders

b.Setting goals

5.Exercise: Fixing SQL Injection Vulnerabilities

a.String SQL Injection

b.Integer SQL Injection

6.Planning in Detail

a.Calculating risk

b.Determining fix approaches and confirmation tests

c.Calculating level of effort

i.Technical vulnerabilities

ii.Logical vulnerabilities

d.Scheduling

i.Waterfall methodologies

ii.Agile methodologies

7.Exercise: Fixing Cross-Site Scripting (XSS) Vulnerabilities

a.Reflected XSS

b.Stored XSS

c.DOM-based XSS

8.Execution in Detail

a.Fixing vulnerabilities

b.Confirming fixes

c.Functional and regression testing

d.Deployment

9.Exercise: Fixing Authorization Vulnerabilities

a.Failure to restrict URL access

b.Insecure direct object reference

10.Remediation Metrics

a.What to track

b.Benchmarking versus emerging industry data

11.Exercise: Remediating Sample RiskEUtility Application

a.Inception

b.Planning

12.Conclusion and Final Questions

Here is the main training page for OWASP AppSec USA 2010 and you can click here to register.

Contact us for help fixing security issues you have identified in your applications.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *