Increased demand for web apps hampered by lack of critical penetration

Inevitable growth of web apps leading to innovative new use cases yet many organisations still struggle with security implementation and testing.

“There are an increasing number of options around deploying IT applications from onsite through various forms of externally hosted public and private infrastructure but all of these options are absolutely dependent on the ability to answer a fundamental question – “How secure are your web applications?” explains Dave Shackleford, SANS Instructor and highly experienced security expert. “If you can’t answer the last question then where your critical applications resides is the least of your worries,” quips Shackleford who suggests that organisations concern over deployment models has confused a more pressing issue around secure application design and testing.


Shackleford is the founder of consultancy Voodoo Security and senior instructor, author, and analyst with SANS. He has consulted with hundreds of organisations in the areas of security, regulatory compliance, and network architecture and engineering. Shackleford has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security.


“If you look into the detail at major breaches, it is the holes in web apps that have resulted in the theft of millions of credit cards alongside major financial and reputational damage for hundreds of enterprises,” says Shackleford, “Irrespective of where web apps reside, organisations must assume that vulnerabilities exist or will appear as platforms evolve and find and fix these flaws before the bad guys do.”


Shackleford stresses that many of the basic issues such as building applications with buffer-overflow and SQL injection vulnerabilities are still prevalent and are still widely exploited by hackers.


Shackleford will be teaching the SANS SEC542: Web App Penetration Testing and Ethical Hacking course as part of SANS Tallinn 2014 in Estonia this September. The course is aimed at helping web site designers, architects, and developers understand and learn web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regime. Through detailed, hands-on exercises and training, attendees learn a four-step process for Web application penetration testing.


The course kicks off with “understanding the attacker's perspective” as the key to successful Web application penetration testing and thoroughly examines Web technology, including protocols, languages, clients, and server architectures, from the attacker's viewpoint. The course then progresses through a logical set of phases including ‘Reconnaissance and Mapping”, “Discovery” and “Exploitation”. The final day offers a “capture the flag” challenge allowing students to explore the techniques, tools, and methodology learnt during the course against a realistic intranet application. “The goal is to learn the skills and processes used by an attacker to become better defenders,” Shackleford adds.
 

Keepit's survey highlights the risks of relying solely on native SaaS backups, underscoring the...
Hitachi Vantara offers new storage solutions on Azure for improved management and cost-efficiency.
Nokia is hailed as the leading core network vendor in Omdia's 2025 report, excelling in...
Financial institutions benefit from hosted private cloud solutions, balancing modernisation with...
HANDD Business Solutions teams up with Cloudhouse to modernise legacy systems and protect sensitive...
Node4 launches a partner support program to aid former VMware partners adapt to the changes...
IONOS deploys the latest supercomputing technology for advanced AI and data applications in a...
DE-CIX begins operations in São Paulo, enhancing Brazil's digital connectivity with cutting-edge...