Penetration Testing mailing list archives

RE: application security testing training

From: Don Parker <dparker () bridonsecurity com>
Date: Thu, 2 Dec 2004 15:20:54 -0800

SANS Track 4 is not bad but has little time devoted to buffer overflows and
format string
attacks. Not to metion other like minded phenomenom. It is very hard to find
pertinent 
training at this level really. Not only that but as Trey pointed out you need
some prior
knowledge before attending this type of training. I would certainly counsel
anyone to check
with the vendor for the knowledge base required to fully benefit from this type
of specialized
training.

Cheers,

Don

--------------------------------------------------------------
Don Parker, GCIA GCIH
Intrusion Detection & Incident Handling Specialist
Bridon Security & Training Services
http://www.bridonsecurity.com
voice: 1-613-302-2910
--------------------------------------------------------------

On Thu, 2 Dec 2004 16:50 , 'Keifer, Trey' <Trey.Keifer () fishnetsecurity com> sent:

While having a solid foundation in both the tools (IDA Pro, softice, gdb) and

concepts of both

programming languages (C/C++/.NET) and systems architecture(Assembly and i386

instruction sets) will

certainly give you the ability to perform these types of assessments, I feel it

is unrealistic to

expect someone to be able to pick up that knowledge in a timeframe relevant to

apply it to themselves

or their work immediately. Either you have studied those subjects in the past

and you are going to put

them together now with security in mind or someone is going to pay you to work

on more basic

assessments and pick the rest up as you can. For individuals with an immediate

need to learn the

techniques and apply it to their job they need to have an environment they can

ask questions and be

provided guidance in directions to go when they get stuck. (which can take long

hours and lots of

creativity to overcome when self-teaching) 

SANS Institute offers a supplemental "break out" course by Lenny Zeltser (one of

the only GIAC GSE's

in the world right now) on Reverse Engineering Malware. It teaches both reverse

engineerig

fundamentals and how to use the tools (primarily IDA and Vmware) to analyze

compiled binaries via a

"black-box" method. I wish they would offer it as a full course, but I haven't

seen it yet. The course

is great though because it gives you hands-on with the tools in an

assessment/investigative mindset

and because it is malware the apps themselves are typically small and manageable

by beginners. 

<snip for b/w>

Current thread:

application security testing training Gaurav Kumar (Dec 02)
- RE: application security testing training pingywon (Dec 03)
- <Possible follow-ups>
- Re: application security testing training William Allsopp (Dec 02)
- re: application security testing training Alfred Huger (Dec 02)
- re: application security testing training Don Parker (Dec 02)
- RE: application security testing training Keifer, Trey (Dec 02)
- RE: application security testing training Keifer, Trey (Dec 02)
  - Re: application security testing training Eirik Seim (Dec 09)
- RE: application security testing training Don Parker (Dec 03)
  - Re: application security testing training Robert Foxworth (Dec 05)