Re: application security testing training

["William Allsopp" <William_Allsopp () eur 3com com>]

Hi all,

> I am looking for application security testing training, most of the companies
offer security testing course targeted >for infrastructure security like how to
pen test a sql server, IIS etc  I want something like code review, memory
> leaks, reverse engineering, writing buffer overflow exploits etc..

> Though I have googled it, I would appreciate if someone can provide comments if
he/she has already undergone such >training.

The reason you've not had so much luck finding such a course is that whilst
various pen testing techniques i.e. testing IIS can be taught in isolation, the
areas you've indicated require a reasonable grounding in other fields such as
software design and a good understanding of memory architecture.

However, I'll try my best to point you at some resources......

For code review, RATS and flawfinder are two tools you may find useful in
gleaning an understanding of code review techniques from the point of view of
catching the use of functions that might lead to security problems (such as
strcpy()).

A good book on discovering buffer overflows and related issues is The
Shellcoder's Handbook or anything you can find on the net by Mr. Litchfield for
that matter, his style of writing isn't quite as tedious as other missives on
this subject (but don't bother until your knowledge of assembler extends beyond
"Hello World"). Read Aleph1's paper on stack overflows from a linux perspective
"Smashing the stack for fun and profit".

There are many papers on the net on reverse engineering. From a Windows
perpective, you could do a lot worse than acquire a copy of softice, ida and hew
and study the various tutorials that are scattered around.

Hope this helps.

W