SANS AppSec 2011: Summit & Training

o!ers great opportunities to learn

how to improve security in your applications:

What Works SummitMarch 7-8, 2011

Application and Software Security

TrainingMarch 9-14, 2011

March 7-14, 2011 • San Francisco, CATHE MOST TRUSTED NAME FOR INFORMATION AND SOFTWARE SECURITY

Don’t Fall Prey to AttackersHands-on immersion training, including:

• DEV522: Defending Web Applications Security Essentials

• DEV542: Web App Penetration Testing & Ethical Hacking

• DEV541: Secure Coding in Java/JEE: Developing Defensible Apps

• DEV544: Secure Coding in .NET: Developing Defensible Apps

• DEV543: Secure Coding in C/C++

• DEV304: Software Security Awareness

Summit The Summit will feature user panels, debates, vendor demos, and talks by industry experts and enterprise practitioners to give you the most up-to-date security solutions in the least amount of time.

Register at www.sans.org/appsec-2011 GIAC Approved Training

Frank Kim

Hello!

I’d like to invite you to join me at SANS AppSec 2011 on March 7-8 in San Francisco where developers, software professionals, and application security experts will discuss the latest threats, defenses, and cutting edge thinking in software security.

If you are responsible for building an enterprise software security program what should you be doing to get the most out of your security activities? What are the latest trends and threats to your organization? How can you create more secure applications?

To address these questions, we have an action-packed agenda, with keynotes from both Mary Ann Davidson, the CSO at software giant Oracle, and Nils Puhlmann, CSO at the popular social network game developer Zynga. Security researcher Billy Rios will give an amazing talk entitled “So You Wanna Be a Bot Master?” Noted author and security researcher Nitesh Dhanjani will present on “Hacking and Securing Next Generation iPhone and iPad Apps”. We also have many other expert sessions on important topics like Cloud Security with Robert Fly from SalesForce.com speaking about “Building a Security Ecosystem”. Several user panels will feature real-world security practitioners from companies like Adobe, Cisco, Intuit, Standard Insurance, and AonHewitt. We’ll also look at the future of application security tools during our interactive vendor panel to see how various tools can help us do our jobs more effectively.

In addition to the two-day summit which features a series of one-hour talks and panels, we also have post-summit training classes with SANS’ top-rated instructors. Our most popular courses on Web application security, penetration testing, and secure coding will be offered on March 9-14:

• SEC542: Web App Pen Testing and Ethical Hacking

• DEV522: Defending Web Application Security Essentials

• DEV541: Secure Coding in Java/JEE

• DEV544: Secure Coding in .NET

• DEV543: Secure Coding in C/C++

• DEV304: Software Security Awareness

SANS AppSec 2011 is truly a great event, where we can all share ideas to improve the state of software security. I look forward to seeing you there!

Sincerely,

Frank Kim Application Security Curriculum Lead

Application Security SummitMarch 7-8, 2011 • San Francisco, CA

Being held in conjunction with AppSec 2011 Training

See pages 4-7 for more information or visit www.sans.org/appsec-2011

Training and Your Career Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

AppSec 2011 Special Presentations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15

SANS Software Security Institute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Hotel and Travel Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Registration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Future SANS Training Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Back Cover

Tanya Baccam (DEV542) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

David Hoelzer (DEV543) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Frank Kim (DEV541) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Jason Lam (DEV522) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

David Rice (DEV544) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Johannes Ullrich, PhD (DEV304) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Courses-at-a-Glance

Please check the Web site for an up-to-date course list at www.sans.org/appsec-2011

SANS WhatWorks in Application Security Summit

DEV304 Software Security Awareness

DEV522 Defending Web Applications Security Essentials

DEV541 Secure Coding in Java/JEE: Developing Defensible Applications

DEV542 Web App Penetration Testing and Ethical Hacking

DEV543 Secure Coding in C/C++

DEV544 Secure Coding in .NET: Developing Defensible Applications

MON3/7

TUE3/8

WED3/9

THU3/10

FRI3/11

FRI3/12

SAT3/13

SUN 3/14

Contents

Instructors

1SANS AppSec 2011 March 7-14, 2011Register at www.sans.org/appsec-2011

Page 4

Page 12

Page 13

Page 11

Page 10

Page 8

Page 9

A P P S E C C U R R I C U L U MSecure Coding

General / Management

DEV304Software Security

Awareness

DEV320Introduction to the Microsoft Security

Development Lifecycle

DEV538Web App Pen

Testing Immersion

Design & TestDEV522

Defending Web Applications

Security Essentials

DEV542Web App

Pen Testing and Ethical Hacking

GWAPT

DEV530Essential Secure

Coding in Java/JEE

(2-Day Course)

DEV541Secure Coding

in Java/JEE (4-Day Course)

GSSP-JAVA

JAVA

DEV543Secure Coding in

C/C++

C & C++

DEV545Secure Coding

in PHP

PHPDEV534

Secure Code Review for Java

Web Apps

Code Review

DEV536Secure Coding for

PCI Compliance

PCI

DEV532Essential

Secure Coding in .NET

(2-Day Course)

DEV544Secure Coding

in .NET (4-Day Course)

GSSP-.NET

.NET

Intrusion Analysis CurriculumSEC502Perimeter Protection In-Depth

GCFW

SEC501Advanced Security

Essentials – Enterprise Defender

GCED

SEC503Intrusion Detection In-Depth

GCIA

S E C U R I T Y C U R R I C U L AIncident Handling Curriculum

SEC504Hacker Techniques,

Exploits, and Incident Handling

GCIH

SEC501Advanced Security

Essentials – Enterprise Defender

GCED

System Administration CurriculumSEC505Securing Windows

GCWN

SEC501Advanced Security

Essentials – Enterprise Defender

GCED

SEC506Securing

Linux/Unix

GCUX

Network Security CurriculumSEC501

Advanced Security Essentials –

Enterprise DefenderGCED

SEC566 Implementing & Auditing the Twenty

Critical Security Controls - In-Depth

SEC301Intro to Information

SecurityGISF

Beginners

Penetration Testing CurriculumSEC540

VoIP Security

SEC560Network Pen Testing and Ethical Hacking

GPEN

SEC542Web App Pen Testing and Ethical Hacking

GWAPT

SEC660Advanced Penetration Testing, Exploits, and

Ethical Hacking

SEC617Wireless Ethical

Hacking, Pen Testing, and Defenses

GAWN

FOR508Computer Forensic Investigations and Incident Response

GCFA

FOR408Computer Forensic

EssentialsGCFE

FOR508Computer Forensic Investigations and Incident Response

GCFA

FOR558Network Forensics

FOR563Mobile Device

Forensics

FOR610REM: Malware

Analysis Tools & Techniques

GREM

M A N A G E M E N T C U R R I C U L U M

S A N S T R A I N I N G A N D Y O U R C A R E E R R O A D M A PF O R E N S I C S

C U R R I C U L U M

L E G A L C U R R I C U L U M

LEG523Law of Data Security

and InvestigationsGLEG

SEC301Intro to Information

SecurityGISF

SEC301Intro to Information

SecurityGISF

SEC301Intro to Information

SecurityGISF

SEC401SANS Security Essentials

Bootcamp StyleGSEC

SEC401SANS Security

Essentials Bootcamp Style

GSEC

MGT512SANS Security

Leadership Essentials For Managers

with Knowledge Compression™

GSLC

Additional Intrusion Analysis CoursesSEC577: Virtualization Security Fundamentals

Additional Incident Handling CoursesSEC517: Cutting-Edge Hacking TechniquesSEC550: Information Reconnaissance: Competitive Intelligence and Online Privacy

Additional Network Security CoursesSEC440: 20 Critical Security Controls: Planning,

Implementing, and AuditingSEC556: Comprehensive Packet Analysis SEC565: Data Leakage Prevention - In Depth

Additional Penetration Testing CoursesDEV538: Web App Pen Testing ImmersionSEC561: Network Penetration Testing: Maximizing the E!ectiveness of

Reports, Exploits, and Command ShellsSEC567: Power Packet Crafting with Scapy

SEC580: Metasploit Kung Fu for Enterprise Pen Testing SEC710: Advanced Exploit Development

SEC301 NOTE: If you have experience in the !eld, please

consider our more advanced course – SEC401.

Additional Forensics CoursesFOR526: Advanced Filesystem Recovery

and Memory Forensics

Additional Management CoursesMGT305: Technical Communication and Presentation Skills for Security Professionals MGT404: Fundamentals of Information Security Policy MGT405: Critical Infrastructure Protection MGT411: SANS 27000 Implementation & Management G7799 MGT421: SANS Leadership and Management Competencies MGT431: Secure Web Services for ManagersMGT432: Information Security for Business ExecutivesMGT438: How to Establish a Security Awareness ProgramMGT442: Information Security Risk ManagementMGT514: Information Security Policy – In Depth MGT570: Social Engineering Defense

GIAC certi!cation available for

courses indicated with GIAC acronyms

A U D I T C U R R I C U L U M

AUD507Auditing Networks,

Perimeters, and SystemsGSNA

SEC401SANS Security Essentials

Bootcamp StyleGSEC

SEC301Intro to Information

SecurityGISF

Additional Audit CoursesAUD305: Technical Communication &

Presentation Skills AUD410: IT Security Audit & Control EssentialsAUD423: Training for the ISACA® CISA® Cert ExamAUD429: IT Security Audit Essentials Bootcamp AUD440: 20 Critical Security Controls: Planning,

Implementing, and AuditingAUD521: Meeting the Minimum: PCI/DSS 1.2:

Becoming and Staying Compliant AUD566: Implementing & Auditing the Twenty

Critical Security Controls – In-Depth

MGT414SANS® +S™

Training Program for the CISSP® Certi!cation

ExamGISP

MGT525Project Mgt

and E"ective Communications for

Security Professionals and Managers

GCPM

SEC401SANS Security

Essentials Bootcamp Style

GSEC

3

Additional System Administration CoursesSEC434: Log Management In-DepthSEC509: Securing Oracle SEC531: Windows Command-Line Kung Fu SEC546: IPv6 EssentialsSEC564: Hacker Detection for System AdministratorsSEC569: Combating Malware in the Enterprise:

Practical Step-by-Step Guidance

Summit Overview: Questions to Be Answered

• What are the primary attack vectors criminals are using to compromise applications and which programming errors account for the vast majority of those attacks?

• What attacks will do the most damage during 2011?

• Which application security tools work best and what kind of challenges have users found in implementing them?

• How can you gain con!dence in the security of outsourced application

development and how do you verify the skills of the outsourced

programmers?

• How do you embed applica-tion security testing into the outsourcer’s process?

• How do you ensure the outsourcer has adequate but

tightly limited access to your own networks?

• What are the essentials of a comprehensive Web site security program?

• What are the most prevalent website vulnerabilities?

• What do the hackers hack, how, and what is the end result?

• What strategies work best to identify application vulnerabilities?

• How can you gauge the strengths and weaknesses of your development team?

• How will application security and application development environments evolve over time?

• When will colleges ensure their computer sciences and information technology graduates know secure coding techniques?

March 7-8, 2011 • San Francisco, CA Being held in conjunction with SANS AppSec 2011

Summit Venue:

The Stanford Court Renaissance San Francisco Hotel 905 California St San Francisco, CA. 94108 415-989-3500 http://bit.ly/6EvKGB

“Attacks against Web applications constitute

more than 60% of the total attack attempts observed

on the Internet.” -SANS TOP CYBER SECURITY RISKS

Register at www.sans.org/appsec-2011

4 SANS AppSec 2011 March 7-14, 2011 5SANS AppSec 2011

March 7-14, 2011

What You Will Learn at the AppSec Summit• The essentials of a comprehensive Web site security

program and how to secure an insecure Web site.

• The most current info on Web hacking techniques and how you can guard against them.

• What the most prevalent Web vulnerabilities are and how hackers take advantage of them to hack into your Web site.

• Unique procurement practices that will help you manage your application security outsourcing and improve application security.

• The confessions of a professional Web app hacker.

• What your peers are doing to secure their Web applications and what the best practices are in application security.

• What tools are available and how they compare. Which tools you should have in your security toolbox to ensure your applications are locked up tight.

Why attend?Coming to the Summit will save you months of time in product evaluation, project planning, and just avoiding errors other companies have made. There’s no better way to !nd out what others have tried and what works.

Agenda – Day 1: Monday, March 7, 2011

War Made New: Changing the IT Battlefield - Mary Ann Davidson, OracleAdvances in warfare have resulted from improvements in technology, but also the way we think about the battle!eld. How can we in information technology apply the lessons of warfare to the problems of defending our information infrastructure? What changes in techniques, tactics and “techknowledge” can help “the good guys” prevail? How can we change the way we think about the IT landscape so we are semper paratus – always prepared?

How Real World Software Security Programs Work - Brad Arkin, Adobe; Chris Peterson, Zynga; Greg Ruddell, RBC – PANELSDLC security involves many stakeholders and consists of code reviews, threat modeling, risk analysis, penetration testing, and training to name a few. Navigating the people, processes, and technology to create secure software is a lot of work. Panelists will discuss how they made their software security programs successful.

Software Experts on Security - James Bach, Satisfice; Jim Bird, BIDS Trading Technologies; David Rice – EXPERT PANELDevelopers don’t attend security conferences and most software development conferences don’t focus on software security. Often, developers are learning new tools and only have time to meet deadlines. Software development panelists share their thoughts on bridging the gap between security and software development and creating secure software.

So You Wanna Be a Bot Master? - Billy Rios, GoogleExplore command and control software used by bot masters, analyze tools used by the shadiest underground characters and uncover stolen data. Dive into the source code and dissect individual components of a real botnet command and control server. Look at the types of data bots are after and how bots get stolen data back to its master. See actual control consoles as they control an army of bots, learn to !nd these servers on the Internet and discuss challenges when researching bot software.

Software Security Architecture in Practice - Brook Schoenfield, Cisco – PANELThe earlier you !nd a defect, the cheaper the !x. Why aren’t more resources allocated to !nding issues during design and architecture? Panelists from security architecture teams discuss their approaches to reducing application security risk.

Hacking and Securing Next Generation iPhone Apps - Nitesh Dhanjani, Ernst & YoungMore than 5 billion iPhone and iPad applications have been downloaded from Apple’s app store. From employees to individuals utilizing the devices for personal use; each of the 200,000+ applications is subject to an attack surface. Hear about case studies of apps that are vulnerable to attacks. Discuss new attack vectors for iOS and how to securely code iOS apps to prevent against them and a framework for incorporating secure design and coding principles into the Model-View-Controller approach used to develop iOS apps.

What Enterprises Should be Doing but Aren’t - John Dickson, Denim Group; Mike Hryekewicz, Standard Insurance; Trey Keifer, AonHewitt – PANELMany organizations recognize the value of software security and are proactively working on reducing critical software vulnerabilities, but what’s not being done? Panelists discuss today’s needs so the state of application security will be more improved in the future.

Agenda – Day 2: Tuesday, March 8, 2011

Keynote Speaker - Nils Puhlmann, Zynga Nils Puhlmann is the co-founder of the Cloud Security Alliance and the CSO at Zynga, who is the world’s largest social game developer. More than 215 million monthly active users play its games. Zynga’s games include FarmVille, Treasure Isle, Zynga Poker, Ma!a Wars, YoVille, Café World, FishVille, PetVille, and FrontierVille. Zynga games are available on Facebook, MySpace, and the iPhone.

Mobile Application Security - Chris Clark, iSec Partners; Chris Palmer, EFF – PANELAs mobile becomes the dominant computing platform and companies are created to build apps, large enterprises are scrambling to deploy and provide customers with convenient access to business functions and data. In the rush to build new applications, security usually takes a backseat. What are the biggest mobile challenges companies face and what can be done to develop and deploy secure mobile applications for your enterprise?

Building a Security Ecosystem - Robert Fly, SalesForce.comPlatform providers have begun making small inroads ensuring developers on their platform write secure code. Salesforce.com’s Force.com platform attempted to reverse the tide of insecure and poorly written code by building a secure development lifecycle around its platform and working with its community to write secure code. Examine what salesforce.com has done to build a security ecosystem around Force.com and the challenges associated with doing so.

Meaningful Software Security Metrics - Ryan Barnett, Trustwave; Arian Evans, WhiteHat Security; Chris Wysopal, Veracode – EXPERT PANELHow can we make software security metrics meaningful to business and technical application owners? Panelists discuss metrics that work today and that we should and will be using in the future to measure the success of software security e"orts.

How to Detect Application Fraud - Robert Fly, SalesForce.com; David Hahn, Intuit; Cory Scott, Matasano – PANELWhen attackers utilize legitimate functionality to abuse your application and defraud your organization how do you detect it? Panelists discuss challenges their companies face in analyzing attacks and preventing application fraud.

The Future of Application Security Tools - Ryan Berg, IBM; Brian Chess, HP; Jim Manico – VENDOR PANELApplication security panelists share their vision for the future of software security tools and discuss how commonly used tools (static analysis, black box testing, WAF) can be leveraged and integrated to provide value for customers.

“Great Summit! It gave the Who,

the What, the Hows, and the Nots

from real-life experiences.”

- ROLO GUZMAN, HESS

Who Should Attend?• Developers, architects, QA testers, and other

software professionals tasked with building secure apps from the ground up

• CIOs and CTOs who need to understand the myriad issues around web apps

• Security professionals who need to be aware of the latest application security issues

• Development managers who want to be able to help their teams develop secure code

• Anyone who wants to build more secure applications

The National Secure Coding Assessment for ProgrammersInvite your programmers to take the new GIAC Certi!ed Secure Programmer examination. For more data on the certi!cations and exams, see GIAC Secure Software Programmer Certi!cation Exam

www.sans.org/gssp

“This Summit provides an excellent means to stay informed on what is available today; and

what the current and emerging issues are.” - YONG CHOE, SAIC

6 SANS AppSec 2011 March 7-14, 2011 7SANS AppSec 2011

March 7-14, 2011

Defending Web applications is critical! In battle an attacker is exposed and at massive

disadvantage when fighting against a well-entrenched defender. This course will teach you how

to build defense in depth, allowing you to detect and expose an attacker early. Learn about the tripwires and obstacles that savvy defenders use to detect, channel, and thwart attacks! The course material distills the experience of two top defenders of embattled Web sites, and builds on the industry consensus research of the CWE/SANS Top 25 programming errors (CWE 25) and the OWASP Top 10.

Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities will also be covered so you can ensure your application is tested for the vulnerabilities discussed in class.

The class goes beyond classic Web applications and includes coverage of Web 2.0 technologies like AJAX and Web services.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation.

The course will cover the topics outlined by OWASP’s Top 10 risks document, as well as additional issues the authors

found of importance in their day-to-day Web application development practice. An example of the topics that will be covered include:

The course will make heavy use of hands-on exercises. It will conclude with a large defensive exercise, reinforcing the lessons learned throughout the week.

Jason Lam SANS Certified Instructor Jason is a senior security analyst at a major !nancial institution in Canada. His recent SANS Institute courseware development includes Defending Web Application Security Essentials and Web Application Pen Testing Hands-On Immersion. Jason started his career as a programmer before moving on to ISP network administration, where he handled network security incidents, which sparked his interest in information security. Jason specializes in Web application security, penetration testing, and intrusion detection. He currently holds a BA in computer science from York University in Toronto, Ontario, as well as the CISSP, GCIA, GCFW, GCUX, GCWN, and GCIH certi!cations.

Defending Web Applications Security Essentials

Six-Day Program • Wed, March 9 - Mon, March 14, 2011 • 9:00am - 5:00pm 36 CPE Credits • Laptop Required • Instructor: Jason LamWho Should Attend

• Application developers

• Application security analysts or managers

• Application architects

• Penetration testers who are interested in learning about defensive strategies

• Security professionals who are interested in learning about Web application security

• Auditors who need to under-stand defensive mechanisms in Web applications

• Employees of PCI compliant organizations who need to be trained to comply with PCI requirements

D E V E LO P E R

522

8 SANS AppSec 2011 March 7-14, 2011

STI Masters Programwww.sans.edu

• Infrastructure security• Server con!guration• Authentication mechanisms• Application language con!guration• Application coding errors like SQL

injection and cross-site scripting• Cross-site request forging

• Authentication bypass• Web services and related "aws• Web 2.0 and its use of Web services• XPATH and XQUERY languages and

injection• Business logic "aws

This course covers the OWASP Top 10 and

the CWE/SANS Top 25 Programming Errors

which are important in Java development.

Tanya Baccam Senior Instructor Tanya is a senior SANS instructor as well as a SANS courseware author. She also provides many security consulting services, such as system audits, vulnerability and risk assessments, database assessments, Web application assessments, and penetration testing. She has previously worked as the director of assurance services for a security services consulting !rm, as well as manager of infrastructure security for a healthcare organization. She also served as a manager at Deloitte & Touche in the Security Services practice. Throughout her career she has consulted with many clients about their security architecture, including areas such as perimeter security, network infrastructure design, system audits, Web server security, and database security. She has played an integral role in developing multiple business applications and currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA, CCNA, CCSE, CCSA, and Oracle DBA certi!cations.

Assess Your Web Apps In Depth.Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate- to advanced-level class you’ll learn the art of exploiting Web applications so you can find flaws in your enterprise’s Web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize cross-site scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And, you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker so that you can be a powerful defender.

On day one, we will study the attacker’s view of the Web as well as learn an attack methodology and how the pen tester uses JavaScript within the test. On day two, we will study the art of reconnaissance specifically targeted to Web applications. We will also examine the mapping phase as we interact with a real application to determine its internal structure. During day three, we will continue our test by starting the discovery phase using the information we gathered on day two. We will focus on application/server-side discovery. On day four, we will continue discovery, focusing on client-side portions of the application, such as Flash objects and Java applets. On day five, we will move into the final stage of exploitation. Students will use advanced exploitation methods to gain further access within the application. Day six will be a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site.

Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization’s Web applications to find some of the most common and damaging Web application vulnerabilities today.

STI Masters Programwww.sans.edu

9SANS AppSec 2011 March 7-14, 2011

Who Should Attend• General security

practitioners

• Web site designers and architects

• Developers

Web App Penetration Testing and Ethical Hacking

Six-Day Program • Wed, March 9 - Mon, March 14, 2011 • 9:00am - 5:00pm 36 CPE Credits • Laptop Required • Instructor: Tanya Baccam

D E V E LO P E R

542

Cyber Guardian Programwww.sans.org/ cyber-guardian

GIAC Certificationwww.giac.org

The Di!erence between Good and Great Programmers

Great programmers have traditionally distinguished themselves by the elegance, effectiveness, and

reliability of their code. That’s still true, but elegance, effectiveness, and reliability have now been joined by security. Major financial institutions and government agencies have informed their internal development teams and outsourcers that programmers must demonstrate mastery of secure coding skills and knowledge, through reliable third-party testing, or lose their right to work on assignments for those organizations. More software buyers are joining the movement every week.

The Only Course Covering the Key Elements of Secure Application Development in Java

Such buyer and management demands create an immediate response from programmers, “Where can I learn what is meant by secure coding?” This unique SANS course allows you to bone up on the skills and knowledge being measured in the third-party assessments as defined in the Essential Skills for Secure Programmers Using Java/JavaEE. (You can find the Essential Skills document at http://www.sans-ssi.org/blueprint_files/

java_blueprint.pdf.)

What Does the Course Cover?

This is a comprehensive course covering a huge set of skills and knowledge. It’s not a high-level theory course.

It’s about real programming. In this course you will examine actual code, work with real tools, build applications, and gain

confidence in the resources you need for the journey to improving security of Java applications.

Rather than teaching students to use a set of tools, we’re teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for that flaw.

Frank Kim SANS Instructor

Frank Kim is a co-founder and principal consultant with Think Security Consulting (www.thinksec.com), a San Francisco Bay area based application security consulting !rm. Frank is an author and instructor for SANS SEC541: Secure Coding in Java/JEE. He has over ten years of experience developing applications using Java/Java EE and has designed and developed Web applications for large health care, technology, insurance, and consulting companies. Frank currently focuses on integrating security into the software development life cycle by doing penetration testing, security assessments, architecture reviews, code reviews, and training. Frank holds the CISSP, GPEN, GCIH, GCFA, GCIA, and GSSPJava certi!cations and is a Sun Certi!ed Java Developer and Programmer.

Secure Coding in Java/JEE: Developing Defensible Applications

Four-Day Program • Wed, March 9 - Sat, March 12, 2011 • 9:00am - 5:00pm 24 CPE Credits • Laptop Required • Instructor: Frank KimWho Should Attend

• Developers who want to build more secure applications

• Java EE programmers

• Software engineers

• Software architects

• Application security auditors

• Technical project managers

• Senior software QA specialists

• Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

10 SANS AppSec 2011 March 7-14, 2011

D E V E LO P E R

541

GIAC Certificationwww.giac.org

Register at www.sans.org/

appsec-2011

Secure Coding in .NET: Developing Defensible Applications

Four-Day Program • Wed, March 9 - Sat, March 12, 2011 • 9:00am - 5:00pm 24 CPE Credits • Laptop Required • Instructor: David Rice

D E V E LO P E R

544

Who Should Attend• This class is focused speci!cally

on software development but is accessible for anyone comfortable working with code and with an interest in understanding the developer’s perspective:

• Software developers and architects

• Senior software QA specialists

• System and security administrators

• Penetration testers

ASP.NET and the .NET framework have provided Web developers with tools that allow them an unprecedented degree of "exibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NET framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We’ll also examine strategies for building applications that will be secure both today and in the future.

Rather than focusing on traditional Web attacks from the attacker’s perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NET environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NET applications during development.

Have you ever wondered if ASP.NET Request Validation is effective? Have you been concerned that XML Web services might be introducing unexamined security issues into your application? Should you feel un-easy relying solely only on the security controls built into the ASP.NET framework? Secure Coding in ASP.NET will answer these questions and far more.

Prerequisites• Experience with programming in ASP.NET using either Visual Basic or C#. All class

work will be performed in C#.

• While this class brie!y reviews basic Web attacks, some prior understanding of issues such as XSS and SQL injection is recommended.

David Rice Senior Instructor David Rice is an internationally recognized cyber security expert, consulting director for policy reform at the U.S. Cyber Consequences Unit, and author of the critically acclaimed book Geekonomics: The Real Cost of Insecure Software. Mr. Rice is a key !gure shaping the discussion of cyber security, and his work impacts both U.S. and European cyber security policy. As director of The Monterey Group, a private consulting !rm, Mr. Rice advises a variety of clients on a range of issues, including cyber strategy development and execution, corporate cyber risk management, cyber security metrics, identity management, and secure software development practices.

GIAC Certificationwww.giac.org

Register at www.sans.org/

appsec-2011

11SANS AppSec 2011 March 7-14, 2011

David Hoelzer SANS Faculty Fellow David Hoelzer is a high-scoring certi!ed SANS instructor and author of more than twenty sections of SANS courseware. He is an expert in a variety of information security !elds, having served in most major roles in the IT and security industries over the past twenty-!ve years. Recently, David was called upon to serve as an expert witness for the Federal Trade Commission for ground-breaking GLBA Privacy Rule litigation. David has been highly involved in governance at SANS Technology Institute, serving as a member of the Curriculum Committee as well as Audit Curriculum Lead. Currently, David serves as the principal examiner and director of research for Enclave Forensics, a New York/Las Vegas based incident response and forensics company. He also serves as the chief information security o#cer for Cyber-Defense, an open source security software solution provider. In the past, David served as the director of the GIAC Certi!cation program, bringing the GIAC Security Expert certi!cation to life. David holds a BS in IT, Summa Cum Laude, having spent time either attending or consulting for Stony Brook University, Binghamton University, and American Intercontinental University. David blogs about IT Audit issues at https://blogs.sans.org/it-audit

The C and C++ programming languages are the bedrock for most operating systems,

major network services, embedded systems and system utilities.

Even though C and, to a lesser extent, C++ are well understood languages, the flexibility of the language and inconsistencies in the standard C libraries have led to an enormous number of discovered vulnerabilities over the years. The unfortunate truth is that there are probably more undiscovered vulnerabilities than there are known vulnerabilities!

This course will cover all of the most common programming flaws that affect C and C++ code. The course will specifically cover the issues identified by the GSSP (GIAC Secure Software Programmer) blueprint for C/C++ with some additional items from the CERT Secure

Coding Standard. Each issue is described clearly with examples. Throughout

the course students are asked to identify flaws in modern versions of common open-

source software to provide hands-on experience identifying these issues in existing code. Exercises also require students to provide secure solutions to coding

problems in order to demonstrate mastery of the subject.

Topics Covered

Secure Coding in C/C++Two-Day Program • Wed, March 9 - Thu, March 10, 2011 • 9:00am - 5:00pm

12 CPE Credits • Laptop Required • Instructor: David HoelzerWho Should Attend• C Programmers

• C++ Programmers

• Project Managers overseeing coding tasks in C or C++

• Embedded programmers working with C or C++

• Legacy code maintainers

• Code auditors

12 SANS AppSec 2011 March 7-14, 2011

D E V E LO P E R

543

• O$ by one errors• Problems with NTBSs• Causes of bu$er over"ows• Causes of heap over"ows• Common memory management errors• Integer promotion standards

• Side e$ects of integer promotions• Common integer errors• Common semaphore issues• File I/O errors• Review process for identifying coding errors

Author StatementSANS has done a great job over the years of assisting the industry in performing triage. We’ve progressed from needing to secure our perimeters, giving advice on how to monitor networks and identify attacks, how to deploy services securely and how to secure operating systems. Now that the triage is done it’s time for us to get to the heart of our real prob-lems: we’ve got a lot of bad code that we’re relying on for mission critical applications. This course adds one more tool to your arsenal, allowing you to identify and "x your problems at the source... literally! - David Hoelzer

Software Security AwarenessOne-Day Program • Wed, March 9, 2011 • 9:00am - 5:00pm

3 CPE Credits • Laptop NOT Required • Instructor: Johannes Ullrich, PhD

Who Should Attend• Software developers

• Software testers

• Managers with software development responsibility

A Sampling of Topics• Vulnerability Cycle – Discovery,

Exploit and Patching

• Principles of Security Applicable to All

This awareness course discusses design and implementation of software applications to reduce the risk from hackers and attacks.The concept is to engineer software so that it continues to function correctly under malicious attack. This course introduces defensive coding and tips to avoid creating problems or vulnerabilities. We also examine the most common flaws of software design and implementation, and you will learn about specific practices to avoid those flaws.

This is an introductory course, suitable for managers as well as developers to get them thinking about baking security into software. The next courses in this track would be SANS Web application security and then language specific developer security training or tester-specific courses.

Software

• 9 Steps to Designing Secure Software

• 18 Software Implementation Flaws

• Recommended Practices for Safe Data Handling

• Recommended Techniques and Tools for Testing the Security of Software

PrerequisitesThere are no prerequisites; this is the introductory course to this subject.

Author StatementToday, vulnerabilities are regularly found in software and patches are issued. We try to create the patches fast enough and apply them in a timely manner to avoid successful attacks targeting those vulnerabilities. But still, billions of dollars are squandered in lost productivity and downtime just from attacks against known vulnerabilities in software. Although some vulnerabilities will always exist in complex systems, there has to be a better way! There is “baking security into software,” which we define as building software to be secure, robust, and reliable from the ground up. Join us as we introduce issues and approaches to bake security into software. -Ted Demopoulos, Ralph Durkee, and Stephen Northcutt

D E V E LO P E R

304

Register at www.sans.org/

appsec-2011Johannes Ullrich, PhD Certified InstructorAs chief research o#cer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. He also enjoys blogging about application security tips. https://blogs.sans.org/appsecstreet!ghter. 13SANS AppSec 2011

March 7-14, 2011

SANS AppSec 2011 Special PresentationsEnrich your conference experience!

Visit www.sans.org/appsec-2011 for dates and times.

Evening talks given by our faculty and selected subject experts help broaden your knowledge; get the most for your training

dollar and hear from the voices that matter in computer security.

SANS Technology Institute BriefSpeaker: Tanya Baccam

SANS Technology Institute Master of Science degree programs offer candidates an unpar-alleled opportunity to excel in the two aspects of security that are most important to the success of their employer and their own careers: management skills and technical mastery.

Over the next 20 years, information technology will become so central to all aspects of our lives, from recreation to warfare, that information security will rise in importance and scale. It will become a profession with more than 500,000, and perhaps as many as 1,000,000, people employed in positions in which they have significant roles in shaping the security of their employers’ systems. Those people need managers, technical directors, and chief infor-mation security officers who are deeply skilled in the technology and who have excellent management skills.

If you aspire to help lead your organization’s or your country’s information security program and you have the qualifications, organizational backing, and personal drive to excel in these challenging degree programs, we will welcome you into the program.

K E Y N O T E : Defensive Coding: 5 Key StepsSpeaker: David Hoelzer

For years the security community has been operating under a triage model in an attempt to secure the enterprise. As an industry we have finally reached the tipping point to start fixing the problem at the root, the code. What proves that this is needed? How can you help your organization to a secure development culture? Make sure to attend this keynote with David Hoelzer, an internationally known expert in the security community, as he shares the process that he uses to bake security into the development process in the corporations that he consults for.

Use These HTTP Headers or Get pwned – Protecting Your Site with the Latest Protective Headers

Speaker: Jason Lam

Attackers are hacking websites with the latest techniques. Clickjacking, XSS and CSRF are all part of their arsenal. Feeling outgunned? This presentation covers the HTTP headers that can help secure your site, in effect avoiding some future incident handling and forensics work when your site gets owned.

We will talk about the security related headers just becoming available in the last couple years and the recent trend in adoption. HTTP headers will become a critical part of defense mechanism in any Web site in the coming years. Don’t miss out on this upcoming trend.

GIAC Program OverviewSpeaker: Tanya Baccam

GIAC certification provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job. Find out why this is important to your career.

15SANS AppSec 2011 March 7-14, 201114 SANS AppSec 2011

March 7-14, 2011 Register at www.sans.org/appsec-2011 Register at www.sans.org/appsec-2011

The Road to Sustainable SecuritySpeaker: David Rice

Within the story of the U.S. battle against environmental pollution lies key lessons for confronting the equivalent of pollution in cyberspace: software vulnerabilities. The toxic effluence of software vulnerabilities leave networks saturated with spam, computers clogged with malware, and servers defoliated of sensitive private data. To date, a series of less-than-satisfactory regulatory attempts – such as PCI, SOX, and data breach laws – have been enacted to address what appears to be widespread unresponsiveness to the substantial harm to the global digital eco-system caused by unrestricted vulnerability dumping. Faced with serious and costly legacy issues of poorly implemented software systems however, many companies continue to stonewall or delay security programs, emphasizing legal compliance and reactionary practices while demonstrating no real improvement. What would it take to change this, to turn the crisis of “pollution” in cyberspace into an opportunity?

This talk highlights a possible fresh perspective, putting software security into the context of social responsibility linked to corporate performance, illustrating how the software market – like corporate America – stands upon the threshold of its greatest opportunity.

All special and vendor events are included with training event registration.

AppSec 2011 Vendor ShowcaseGet the answers to your questions at the AppSec 2011 Vendor Showcase. Evaluate vendor tools and services in an interactive environment and increase your productivity, e!ectiveness and knowledge gained from your SANS training.

Come visit with these and other leading vendors providing the solutions you are looking for in Application Security.

The Best Place to Find AppSec Information and ResourcesWith 80% of vulnerabilities existing in the application layer, it’s imperative that developers, programmers and appsec professionals understand the threats and know how to prevent them. SANS’ Software Security Institute (SSI) Website (www.sans-ssi.org) brings developers, programmers and appsec professionals free research and news resources to keep you up to date with the most recent attack vectors and application vulnerabilities; training for web application security and hacking defense, secure coding, software security testing, code review and PCI compliance; language speci!c secure coding training for Java/JEE, .NET, C, as well as details on programmer/developer certi!cation (GSSP) through our GIAC a"liate.

The SSI site also features the Application Security Street Fighter Blog where you can !nd and share techniques on defending and testing web applications as well as interesting secure development related information.

Since training and education are the keys to developing secure Web apps, the SANS Software Security Institute website provides the latest SANS appsec course descriptions and class schedules. Some courses o#er 20 - 30 minute demos so you can take a test drive of the course. Webcasts are also posted here and really great way to keep your skills sharp.

This site was created for the appsec community, so visit often and contribute when you can. We want to make SSI the one-stop shop for appsec info, so if you have any suggestions on improvements, please let us know at info@sans-ssi.org.

GIAC Secure Software Programmer Certification (GSSP)The GIAC Secure Software Programmer (GSSP) Certi!cation Exam was developed in a joint e#ort involving the SANS Institute, CERT/CC, several US government agencies, and leading companies in the US, Japan, India, and Germany. These exams are an essential response to the rapidly increasing number of targeted attacks that are focusing on application vulnerabilities. They help organizations meet four objectives:

• Identify shortfalls in security knowledge of in-house programmers and help those individuals close the gaps.

• Ensure outsourced programmers have adequate secure coding skills.• Select new employees who will not need remedial training in secure programming.• Ensure each major development project has at least one person with advanced secure

programming skills.

We o#er GSSP certi!cations for C, .Net and Java languages. A GSSP certi!cations allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common programming errors that lead to most security problems.

For more information about the GSSP exams, go to www.sans-ssi.org/certification.

Register at www.sans.org/appsec-201116 SANS AppSec 2011 March 7-14, 2011

Registration InformationWe recommend you register early to ensure you get your first choice of courses.

To register, go to www.sans.org/appsec-2010

Register Early and Save DATE DISCOUNT DATE DISCOUNT

Register & pay by 1/26/11 $400.00 2/2/11 $250.00

Group Savings (Applies to tuition only)15% discount if 12 or more people from the same organization register at the same time10% discount if 8–11 people from the same organization register at the same time 5% discount if 4–7 people from the same organization register at the same time

To obtain a group discount, complete the discount code request form at www.sans.org/training/discounts.php prior to registering.

To register, go to www.sans.org/appsec-2011Select your course or courses and indicate whether you plan to test for GIAC certi!cation.How to tell if there is room available in a course: If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone with Internet access must complete the online registration form. We do not take registrations by phone.

CancellationYou may substitute another person in your place at any time by e-mail: registration@sans.org or faxing to 301-951-0140. There is a $300 cancellation fee per registration. Cancellation requests must be received by February 9, 2011 by fax or mail-in order to receive a refund.

Look for E-mail Confirmation – It Will Arrive Soon After You RegisterWe recommend you register and pay early to ensure you get your !rst choice of courses. An immediate e-mail con!rmation is sent to you when the registra-tion is submitted properly. If you have not received e-mail con!rmation within two business days of registering, please call the SANS Registration o#ce at 301-654-7267 9:00am - 8:00pm Eastern Time.

Hotel InformationThe Stanford Court Renaissance San Francisco Hotel905 California Street - Nob Hill San Francisco, California 94108 Phone: 1-415-989-3500 • Fax: 1-415-391-0513 Web site: http://bit.ly/6EvKGB

Breathtaking views of the City and the Bay, along with luxurious surroundings, are a few of the many highlights of the contemporary guest rooms and suites within this historic hotel. Dine under the Ti!any-style dome in Aurea, one of San Francisco’s hottest new restaurants and lounges, and savor the seasonal cuisine that celebrates Bay Area and California culinary artisans. Hop on one of the three Cable Car lines that run directly in front of the Nob Hill hotel and be whisked away to see all of San Francisco’s famous attractions. Discover the best of San Francisco’s charm and character, while enjoying the "nest of hotels in Nob Hill at The Stanford Court, A Renaissance Hotel.

SANS has secured a conference rate of $175 per night including free Internet. The hotel special rate cut-o! date is February 13, 2011.

Note: You must mention that you are attending the SANS Institute training to get the discounted rate. The hotel will require a major credit card to guarantee your reservation.

To cancel your reservation, you must notify the hotel at least 72 hours before your planned arrival date.

Register at www.sans.org/appsec-2011 17SANS AppSec 2011 March 7-14, 2011