3

Click here to load reader

Certified Web Application Security Professional CWASP · 2013-05-31 · Certified Web Application Security Professional ... Introduction and Case Study ... Vulnerability Assessment

  • Upload
    hanhi

  • View
    212

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Certified Web Application Security Professional CWASP · 2013-05-31 · Certified Web Application Security Professional ... Introduction and Case Study ... Vulnerability Assessment

CCoommppuutteerr  SSoocciieettyy  ooff  IInnddiiaa  MMuummbbaaii  CChhaapptteerr  Two days hands-on workshop on:

CCeerrttiiffiieedd  WWeebb  AApppplliiccaattiioonn  SSeeccuurriittyy  PPrrooffeessssiioonnaall    21st to 22nd June 2013, 9.30 am to 5.30pm, Mumbai

Introduction The course is focused on a comprehensive coverage of web application security. It will present security guidelines and considerations in web applications development. The participants will learn the basics of application security, how to enforce security on a web application, Basics of Threat Modeling, Threat Profiling, OWASP Top Ten Testing, Black Box Testing, and Source Code Reviews.

Objectives of the course Who Should Attend Upon completion of this course, participants will be able to:

• Understand the need for security • Understand the various security threats and

countermeasures • Design and Develop secured web applications

Registration Fees • CSI Members Rs. 10,000 /­ Per Participant • Non CSI Member Rs. 12,000/­ Per Participant  

(Group Discount is available for minimum 5 number of registration)

• All web app developers, testers, designers who wish to improve their security skills

• Developers and System Architects wishing to improve their security skills and awareness

• Team Leaders and Project Managers • Security practitioners and managers • Auditors • Anyone interested in techniques for securing Web

applications • QA analysts who want to learn the mechanics of Web

applications for better testing Course Contents

Session One: Introduction and Case Study • Module 1: Web Hacking Case Studies • Module 2: Business Risks from Application

Vulnerabilities Session Two: Web 2.0 Security

• Module 3: What is Web 2.0? • Module 4: AJAX Vulnerabilities • Module 5: What are Web Services? • Module 6: Web Services Vulnerabilities

Session Three: Threat Modeling – Web Application Security Controls

• Module 7: Application Security – An Overview • Module 8: Threat Modeling – Objectives • Module 9: Threat Modeling – Meaning and terminology • Module 10: Hacker’s Interest Area • Module 11: Threat Profiling • Module 12: Practical Considerations • Module 13: Case Study

Session Four: Introduction to web application vulnerabilities • Module 14: OWASP Top Ten • Module 15: OWASC List of Vulnerabilities

Session Five: Functional v/s Security testing • Module 16: What is Functional testing? • Module 17: What is Security testing? • Module 18: Differences • Module 19: Tools for Functional and Security testing

Session Six: Web application in-securities practical hands-on • Module 20: Demo of web vulnerabilities with insecure

web applications. Session Seven: Secure Coding Techniques

• Module 21: Best Practices • Module 22: Secure J2EE Programming • Module 23: Secure .NET Programming • Module 24: Secure PHP Programming

Session Eight: Significant OWASP Projects • Module 25: OWASP Development Guide • Module 26: OWASP Testing Guide • Module 27: OWASP Code Review Guide

Session Nine: Flash Attacks Session Ten: IFrame Attacks Session Eleven: Continuous security testing and assessments

• Module 28: Risk based approach • Module 29: Risks from Outsourcing • Module 30: Conducting VAPT, Source code audits,

Infrastructure reviews

Faculty Profile Wasim Halani currently serves as a Senior Security Analyst in the Technical Assessment team. His work mainly focuses on conducting Security Audits, Vulnerability Assessment and Penetration Testing for premier clients. He has also handled some of the unique projects over the past two years, like Social Engineering, Wireless Network Assessments, WAP Service testing and KIOSK Risk Assessment. He possesses strong analytical skills and likes to keep himself involved in learning new attack vectors, tools and technologies, which allow him to conduct in-depth testing of applications during a penetration testing exercise.During his free time, he likes to research on advance topics like Malware Analysis and Exploit Development. He is a Certified Professional Hacker (CPH) and also provides training services. Application Security

• Well versed with OWASP – Top Ten and WASC Threat Classifications • Expertise in Vulnerability Assessment and Penetration Testing of Web Applications

Page 2: Certified Web Application Security Professional CWASP · 2013-05-31 · Certified Web Application Security Professional ... Introduction and Case Study ... Vulnerability Assessment

• Business-Logic based application testing • Penetration testing of WAP/WML services

Network Security • Good knowledge of TCP/IP fundamentals • Worked on security for a range of Operating Systems, databases, web servers and mail servers . • VPN Assessment • Firewall and Router Configuration Review • Worked on security for a VoIP technology

Wireless Security • Cracking WEP encryption • Auditing WPA and WPA2 encryption • Wireless network implementation review

Forensics • Disk Imaging with Encase • Web Server Log Review • Fraud Investigation • Email Address Tracking • File Recovery

Penetration Testing 2.0 • Social Engineering • Phishing • Client-side Attacks

Conducts trainings on the following subjects • Certified Professional Hacker • Exploit Development • Advance Metasploit • Wireless Security • Network Security Auditing • Database Security Auditing

Over the past two years, Wasim has been exposed to a variety of different applications and network environments which have helped him enhance his understanding and technical skills.

• Operating Systems: Windows XP/2000/2003/Vista/7, Linux, Unix(Solaris), HP-Unix. • Databases: MS SQL Server, Oracle, MySQL • Servers: FTP, TFTP, DHCP, Web Servers(IIS,Apache), Mail Servers(Sendmail, SquirrelMail), Domain Controller (Active

Directory) While conducting security assessments, Wasim has familiarized himself with many of the popular tools available. Few tools he regularly uses are:

• Nmap, Teneble Nessus, Metasploit, BurpSuite Pro,Wireshark, NetCat, Aircrack-ng suite, Cain & Abel, tcpdump, Ettercap, Pwdump/Fgdump, Brutus, John-the-Ripper, Hydra, OphCrack, Wikto, W3AF, IkeScan, IkeProbe.

• He’s also comfortable with the Backtrack 4 Penetration Testing OS. • Programming Languages • C, C++, HTML, Perl, JAVA, Visual Basic 6, JavaScript, SQL, Visual C#.Net, XML, PHP.

Venue & For Registration Contact Terms & Conditions Harshavardhan Mane CSI Mumbai Chapter, Unit no 3, 4th floor, Samruddhi Venture, MIDC, Andheri East, Mumbai - 400093. Tel: 022 28235476 / 28235548, (Mobile) 9819089527, 9664926800, Fax: 022 28235546 Email: [email protected] / [email protected] [email protected] Website : http://www.csimumbai.org

- All payment should be made in the name of "CSI Mumbai Chapter" Payable at Mumbai.

- The mentioned fees are inclusive of all taxes and charges.

- Registration fees covers courseware, lunch, Tea/Coffee and CSI Certificate.

- Group discount is available for minimum 5 number of registration.

- Non CSI Member can avail discount in fees by becoming member of the society for details visit : http://www.csi-india.org

Payment is to be made in favour of 'CSI Mumbai Chapter, A/c No. 054401002573 payable at ICICI Bank, MIDC, Andheri East, Branch, Mumbai-400093, RTGS/NEFT Code: ICIC0000544, (All Major VISA / Master Credit / Debit cards will be accepted)

Participation only through advance registration, (Batch size : 20 participants only) Note – Out station participants need to confirm at least 2 days prior to the commencement of the training

Page 3: Certified Web Application Security Professional CWASP · 2013-05-31 · Certified Web Application Security Professional ... Introduction and Case Study ... Vulnerability Assessment

Disclaimer: This mail is not spam mail and is a genuine communication from Computer Society of India (CSI) Mumbai Chapter to its members and other IT Professionals to inform them about the forthcoming event. If you feel that this mail should not have been sent to you or you want similar communication to be sent to your different e-mail address, please reply to this mail and specify it in the message.