Penetration Testing mailing list archives
Re: application security testing training
From: "Robert Foxworth" <rfoxwor1 () tampabay rr com>
Date: Sat, 4 Dec 2004 08:52:20 -0500
A new book has just appeared, called Gray Hat Hacking, and has pretty good technical detail on some of these issues. Osborne, over 400 pages, cost $50, 5 authors Copyright 2005. ISBN 0-07-225709-1. I have no connection with this book other than as a reader. - Bob (GSEC)
SANS Track 4 is not bad but has little time devoted to buffer
overflows and
format string attacks. Not to metion other like minded phenomenom. It is very hard
to find
pertinent training at this level really. Not only that but as Trey pointed out
you need
some prior knowledge before attending this type of training. I would certainly
counsel
anyone to check with the vendor for the knowledge base required to fully benefit from
this type
of specialized training. Cheers, Don -------------------------------------------------------------- Don Parker, GCIA GCIH Intrusion Detection & Incident Handling Specialist Bridon Security & Training Services http://www.bridonsecurity.com voice: 1-613-302-2910 -------------------------------------------------------------- On Thu, 2 Dec 2004 16:50 , 'Keifer, Trey'
<Trey.Keifer () fishnetsecurity com> sent:
While having a solid foundation in both the tools (IDA Pro, softice,
gdb) and
concepts of bothprogramming languages (C/C++/.NET) and systems architecture(Assembly
and i386
instruction sets) willcertainly give you the ability to perform these types of assessments,
I feel it
is unrealistic toexpect someone to be able to pick up that knowledge in a timeframe
relevant to
apply it to themselvesor their work immediately. Either you have studied those subjects in
the past
and you are going to putthem together now with security in mind or someone is going to pay
you to work
on more basicassessments and pick the rest up as you can. For individuals with an
immediate
need to learn thetechniques and apply it to their job they need to have an environment
they can
ask questions and beprovided guidance in directions to go when they get stuck. (which can
take long
hours and lots ofcreativity to overcome when self-teaching) SANS Institute offers a supplemental "break out" course by Lenny
Zeltser (one of
the only GIAC GSE'sin the world right now) on Reverse Engineering Malware. It teaches
both reverse
engineerigfundamentals and how to use the tools (primarily IDA and Vmware) to
analyze
compiled binaries via a"black-box" method. I wish they would offer it as a full course, but
I haven't
seen it yet. The courseis great though because it gives you hands-on with the tools in anassessment/investigative mindsetand because it is malware the apps themselves are typically small and
manageable
by beginners. <snip for b/w>
Current thread:
- application security testing training Gaurav Kumar (Dec 02)
- RE: application security testing training pingywon (Dec 03)
- <Possible follow-ups>
- Re: application security testing training William Allsopp (Dec 02)
- re: application security testing training Alfred Huger (Dec 02)
- re: application security testing training Don Parker (Dec 02)
- RE: application security testing training Keifer, Trey (Dec 02)
- RE: application security testing training Keifer, Trey (Dec 02)
- Re: application security testing training Eirik Seim (Dec 09)
- RE: application security testing training Don Parker (Dec 03)
- Re: application security testing training Robert Foxworth (Dec 05)