“There are an increasing number of options around deploying IT applications from onsite through various forms of externally hosted public and private infrastructure but all of these options are absolutely dependent on the ability to answer a fundamental question – “How secure are your web applications?” explains Dave Shackleford, SANS Instructor and highly experienced security expert. “If you can’t answer the last question then where your critical applications resides is the least of your worries,” quips Shackleford who suggests that organisations concern over deployment models has confused a more pressing issue around secure application design and testing.
Shackleford is the founder of consultancy Voodoo Security and senior instructor, author, and analyst with SANS. He has consulted with hundreds of organisations in the areas of security, regulatory compliance, and network architecture and engineering. Shackleford has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security.
“If you look into the detail at major breaches, it is the holes in web apps that have resulted in the theft of millions of credit cards alongside major financial and reputational damage for hundreds of enterprises,” says Shackleford, “Irrespective of where web apps reside, organisations must assume that vulnerabilities exist or will appear as platforms evolve and find and fix these flaws before the bad guys do.”
Shackleford stresses that many of the basic issues such as building applications with buffer-overflow and SQL injection vulnerabilities are still prevalent and are still widely exploited by hackers.
Shackleford will be teaching the SANS SEC542: Web App Penetration Testing and Ethical Hacking course as part of SANS Tallinn 2014 in Estonia this September. The course is aimed at helping web site designers, architects, and developers understand and learn web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regime. Through detailed, hands-on exercises and training, attendees learn a four-step process for Web application penetration testing.
The course kicks off with “understanding the attacker's perspective” as the key to successful Web application penetration testing and thoroughly examines Web technology, including protocols, languages, clients, and server architectures, from the attacker's viewpoint. The course then progresses through a logical set of phases including ‘Reconnaissance and Mapping”, “Discovery” and “Exploitation”. The final day offers a “capture the flag” challenge allowing students to explore the techniques, tools, and methodology learnt during the course against a realistic intranet application. “The goal is to learn the skills and processes used by an attacker to become better defenders,” Shackleford adds.