RE: application security testing training

["Keifer, Trey" <Trey.Keifer () fishnetsecurity com>]

While having a solid foundation in both the tools (IDA Pro, softice, gdb) and concepts of both
programming languages (C/C++/.NET) and systems architecture(Assembly and i386 instruction sets) will
certainly give you the ability to perform these types of assessments, I feel it is unrealistic to
expect someone to be able to pick up that knowledge in a timeframe relevant to apply it to themselves
or their work immediately. Either you have studied those subjects in the past and you are going to put
them together now with security in mind or someone is going to pay you to work on more basic
assessments and pick the rest up as you can. For individuals with an immediate need to learn the
techniques and apply it to their job they need to have an environment they can ask questions and be
provided guidance in directions to go when they get stuck. (which can take long hours and lots of
creativity to overcome when self-teaching) 

SANS Institute offers a supplemental "break out" course by Lenny Zeltser (one of the only GIAC GSE's
in the world right now) on Reverse Engineering Malware. It teaches both reverse engineerig
fundamentals and how to use the tools (primarily IDA and Vmware) to analyze compiled binaries via a
"black-box" method. I wish they would offer it as a full course, but I haven't seen it yet. The course
is great though because it gives you hands-on with the tools in an assessment/investigative mindset
and because it is malware the apps themselves are typically small and manageable by beginners. 

As well as the above SANS also offers their Track 4: Incident Handling and Hacker Techniques which
does get into the specifics of buffer overflows, format string vulnerabilities, shell-code, etc... But
would probably fall short on length of time dedicated to these specific subjects for your purporses. 

Foundstone and @Stake are both highly regarded in their application auditing and their courses will
cover secure coding principles. To what degree I can't specify because I haven't had the opportunity
to sit in on yet.

Someone else mentioned specialized training from CORE Security. I have had contact with Max Caceres
with that organization and have been *very* impressed with the level of technical competence and
creativity of their R&D staff as well as the IMPACT product they produce. If you can get an
opportunity with them I highly suggest you go for it. 

There are other companies which focus in this area that I would strongly recommend against, but would
have to discuss off-list. 

In the end I agree that it will take a lot of dedication to the tools and technologies discussed in my
first paragraph and by others in the thread. A good start is one of the above mentioned courses
though. Take it, concentrate on expanding upon the tools they teach and you should have an immediate
ability to apply what you learned to your work. It is not something you pick up quickly though, it is
highly specialized and the tools that offer automation as a shortcut always fall short in my
experience...  

Hope this helps,

---
Trey Keifer
Security Engineer - Level II
Fishnet Security

Direct: 816.701.2073
Main: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.474.0394

http://www.fishnetsecurity.com




> -----Original Message-----
> From: William Allsopp [mailto:William_Allsopp () eur 3com com] 
> Sent: Thursday, December 02, 2004 10:03 AM
> To: pen-test () securityfocus com
> Subject: Re: application security testing training
>
>
>
> Hi all,
>
> > I am looking for application security testing training, most of the 
> > companies
> offer security testing course targeted >for infrastructure 
> security like how to pen test a sql server, IIS etc  I want 
> something like code review, memory
> > leaks, reverse engineering, writing buffer overflow exploits etc..
>
> > Though I have googled it, I would appreciate if someone can provide 
> > comments if
> he/she has already undergone such >training.
>
> The reason you've not had so much luck finding such a course 
> is that whilst various pen testing techniques i.e. testing 
> IIS can be taught in isolation, the areas you've indicated 
> require a reasonable grounding in other fields such as 
> software design and a good understanding of memory architecture.
>
> However, I'll try my best to point you at some resources......
>
> For code review, RATS and flawfinder are two tools you may 
> find useful in gleaning an understanding of code review 
> techniques from the point of view of catching the use of 
> functions that might lead to security problems (such as strcpy()).
>
> A good book on discovering buffer overflows and related 
> issues is The Shellcoder's Handbook or anything you can find 
> on the net by Mr. Litchfield for that matter, his style of 
> writing isn't quite as tedious as other missives on this 
> subject (but don't bother until your knowledge of assembler 
> extends beyond "Hello World"). Read Aleph1's paper on stack 
> overflows from a linux perspective "Smashing the stack for 
> fun and profit".
>
> There are many papers on the net on reverse engineering. From 
> a Windows perpective, you could do a lot worse than acquire a 
> copy of softice, ida and hew and study the various tutorials 
> that are scattered around.
>
> Hope this helps.
>
> W


The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.