Penetration Testing mailing list archives
Re: application security testing training
From: "William Allsopp" <William_Allsopp () eur 3com com>
Date: Thu, 2 Dec 2004 16:03:10 +0000
Hi all,
I am looking for application security testing training, most of the companies
offer security testing course targeted >for infrastructure security like how to pen test a sql server, IIS etc I want something like code review, memory
leaks, reverse engineering, writing buffer overflow exploits etc..
Though I have googled it, I would appreciate if someone can provide comments if
he/she has already undergone such >training. The reason you've not had so much luck finding such a course is that whilst various pen testing techniques i.e. testing IIS can be taught in isolation, the areas you've indicated require a reasonable grounding in other fields such as software design and a good understanding of memory architecture. However, I'll try my best to point you at some resources...... For code review, RATS and flawfinder are two tools you may find useful in gleaning an understanding of code review techniques from the point of view of catching the use of functions that might lead to security problems (such as strcpy()). A good book on discovering buffer overflows and related issues is The Shellcoder's Handbook or anything you can find on the net by Mr. Litchfield for that matter, his style of writing isn't quite as tedious as other missives on this subject (but don't bother until your knowledge of assembler extends beyond "Hello World"). Read Aleph1's paper on stack overflows from a linux perspective "Smashing the stack for fun and profit". There are many papers on the net on reverse engineering. From a Windows perpective, you could do a lot worse than acquire a copy of softice, ida and hew and study the various tutorials that are scattered around. Hope this helps. W
Current thread:
- application security testing training Gaurav Kumar (Dec 02)
- RE: application security testing training pingywon (Dec 03)
- <Possible follow-ups>
- Re: application security testing training William Allsopp (Dec 02)
- re: application security testing training Alfred Huger (Dec 02)
- re: application security testing training Don Parker (Dec 02)
- RE: application security testing training Keifer, Trey (Dec 02)
- RE: application security testing training Keifer, Trey (Dec 02)
- Re: application security testing training Eirik Seim (Dec 09)
- RE: application security testing training Don Parker (Dec 03)
- Re: application security testing training Robert Foxworth (Dec 05)