Increased demand for web apps hampered by lack of critical penetration
Inevitable growth of web apps leading to innovative new use cases yet many organisations still struggle with security implementation and testing
UK – 12th August, 2014 -“There are an increasing number of options around deploying IT applications from onsite through various forms of externally hosted public and private infrastructure but all of these options are absolutely dependent on the ability to answer a fundamental question – “How secure are your web applications?” explains Dave Shackleford, SANS Instructor and highly experienced security expert. “If you can’t answer the last question then where your critical applications resides is the least of your worries,” quips Shackleford who suggests that organisations concern over deployment models has confused a more pressing issue around secure application design and testing.
Shackleford is the founder of consultancy Voodoo Security and senior instructor, author, and analyst with SANS. He has consulted with hundreds of organisations in the areas of security, regulatory compliance, and network architecture and engineering. Shackleford has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security.
“If you look into the detail at major breaches, it is the holes in web apps that have resulted in the theft of millions of credit cards alongside major financial and reputational damage for hundreds of enterprises,” says Shackleford, “Irrespective of where web apps reside, organisations must assume that vulnerabilities exist or will appear as platforms evolve and find and fix these flaws before the bad guys do.”
Shackleford stresses that many of the basic issues such as building applications with buffer-overflow and SQL injection vulnerabilities are still prevalent and are still widely exploited by hackers.
Shackleford will be teaching the SANS SEC542: Web App Penetration Testing and Ethical Hacking course as part of SANS Tallinn 2014 in Estonia this September. The course is aimed at helping web site designers, architects, and developers understand and learn web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regime. Through detailed, hands-on exercises and training, attendees learn a four-step process for Web application penetration testing.
The course kicks off with “understanding the attacker’s perspective” as the key to successful Web application penetration testing and thoroughly examines Web technology, including protocols, languages, clients, and server architectures, from the attacker’s viewpoint. The course then progresses through a logical set of phases including ‘Reconnaissance and Mapping”, “Discovery” and “Exploitation”. The final day offers a “capture the flag” challenge allowing students to explore the techniques, tools, and methodology learnt during the course against a realistic intranet application. “The goal is to learn the skills and processes used by an attacker to become better defenders,” Shackleford adds.
The ‘SANS SEC542: Web App Penetration Testing and Ethical Hacking’ course taught by Shackleford will be running at SANS Tallinn 2014, taking place at Sokos Hotel Viru from Monday 1st September until Saturday 6th September 2014. For more information, please visit: http://www.sans.org/event/tallinn-2014/
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest source for world-class information security training and security certification in the world, offering over 50 training courses each year. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 27 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system—the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)