Advanced Application Security Course

CAST 613

Hacking and Hardening your own Corporate Web App/Web Site

A Developer Perspective

 

A completely unique approach to making internally developed code safe. Sure we all know the basics but have we ever walked a mile in the hacker’s shoes. How would they go about Hacking our Corporate Developed Web Site/Web App? Our Developers are schooled in what they would try? Aren’t they?

How can you possibly know how to protect your home if you don’t know how the burglar breaks into it? It’s impossible! We are taking the unusual approach of hacking our own code using very simple tools that the developer uses every day. The most expensive tool we use is phenomenally priced cost of Chrome. Yes Chrome the browser and a number of other free tools that almost all IT people are familiar with.

You will see your developers eyes light up when they see how easy it is to break in. Most importantly we will show them what the developer can do to prevent it? In this course we take the very unusual approach of allowing the corporate developers themselves to hack their own code. We also allow any other stake holders to watch. It’s almost like a bad car wreck, you just have to slow down and watch.

The unusual approach is that the course is 100% language independent.  It makes no difference if you write in PHP, .NET, Java, Flash/Flex or the 100 other variants or mashups.  If you drive your application from a Browser, and it returns angle brackets, then you are in the right place.


Course Description

A well thought out course designed with the average security unaware programmer in mind. Your developers will be astonished at the things they do every day that turn out to have security flaws in them. To drive the point home, the course is designed with more than 50% involving hands-on coding labs. The ideal participant should have a development background, coding or architecting background either currently or previously. The candidate currently could be a developer trying to raise his or her cyber awareness. Or the Candidate may either now or have moved into a managerial position perhaps making them even more responsible for any security breach. In today’s world, there is not one day that goes by that the national evening news mentions a break in. While that may not seem that ground breaking in and of itself, the truth of the matter is much more staggering. Studies have not only shown but have proven that for every record compromised it can cost the company well over a $1000 in costs to repair. Those costs may be hard $ costs as well as costs of reputation. So if 10, 000 records were compromised… Well do the math! This can be not only a job limiting oversight but a career limiting one as well. And every manager knows after Sarbanes Oxley the finger points back to the man in charge.

Much thought was put into the course to be sure it worked and could be taught as a language agnostic course providing both the developer as well as management types to be exposed to how their own web site/web app could be compromised.

The course will require no special pen testing tools that are normally used during a course similar to this. The author expects that you simply understand program logic. And if you know development techniques and have an architecture background you will walk away with a heightened sense of awareness about the things you do on a day to day basis.

Regardless if you are the developer, the architect or even the project manager each will walk away with an astonishing clarity of how things could be easily improved and secured. To get the most from the course all participants should have at least some programming experience.

This course is NOT language specific although program logic and design concepts both are an absolute must have! Most of the entire course will be not only enlightening but also entertaining and easily well worth the time allocated to take. You will instantly find yourself suggesting this course to other developers, project managers and architects on your team and at your company!