I will be teaching a one-day course on Software Security Remediation at AppSec USA 2010 on September 7th. The course fee is only $675 – click here to register.
There are lots of courses that teach you how to build secure software from the ground up. There are also lots of courses that will teach you how to assess the security of existing software. This course is unique because it focuses on a HUGE problem all organizations have: dealing with a large number of identified vulnerabilities in deployed code.
This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Duration: 1 day
Primary Audience: Software developers
Secondary Audience: Project managers, application security testers, quality assurance testers
Prerequisites: Experience developing enterprise applications in Java or .NET, knowledge of software and application security topics.
1.Introduction and Background
2.Structure of Remediation Projects
4.Inception in Detail
5.Exercise: Fixing SQL Injection Vulnerabilities
a.String SQL Injection
b.Integer SQL Injection
6.Planning in Detail
b.Determining fix approaches and confirmation tests
c.Calculating level of effort
7.Exercise: Fixing Cross-Site Scripting (XSS) Vulnerabilities
8.Execution in Detail
c.Functional and regression testing
9.Exercise: Fixing Authorization Vulnerabilities
a.Failure to restrict URL access
b.Insecure direct object reference
a.What to track
b.Benchmarking versus emerging industry data
11.Exercise: Remediating Sample RiskEUtility Application
12.Conclusion and Final Questions
dan _at_ denimgroup.com