Penetration Testing mailing list archives
RE: application security testing training
From: Don Parker <dparker () bridonsecurity com>
Date: Thu, 2 Dec 2004 15:20:54 -0800
SANS Track 4 is not bad but has little time devoted to buffer overflows and format string attacks. Not to metion other like minded phenomenom. It is very hard to find pertinent training at this level really. Not only that but as Trey pointed out you need some prior knowledge before attending this type of training. I would certainly counsel anyone to check with the vendor for the knowledge base required to fully benefit from this type of specialized training. Cheers, Don -------------------------------------------------------------- Don Parker, GCIA GCIH Intrusion Detection & Incident Handling Specialist Bridon Security & Training Services http://www.bridonsecurity.com voice: 1-613-302-2910 -------------------------------------------------------------- On Thu, 2 Dec 2004 16:50 , 'Keifer, Trey' <Trey.Keifer () fishnetsecurity com> sent:
While having a solid foundation in both the tools (IDA Pro, softice, gdb) and
concepts of both
programming languages (C/C++/.NET) and systems architecture(Assembly and i386
instruction sets) will
certainly give you the ability to perform these types of assessments, I feel it
is unrealistic to
expect someone to be able to pick up that knowledge in a timeframe relevant to
apply it to themselves
or their work immediately. Either you have studied those subjects in the past
and you are going to put
them together now with security in mind or someone is going to pay you to work
on more basic
assessments and pick the rest up as you can. For individuals with an immediate
need to learn the
techniques and apply it to their job they need to have an environment they can
ask questions and be
provided guidance in directions to go when they get stuck. (which can take long
hours and lots of
creativity to overcome when self-teaching) SANS Institute offers a supplemental "break out" course by Lenny Zeltser (one of
the only GIAC GSE's
in the world right now) on Reverse Engineering Malware. It teaches both reverse
engineerig
fundamentals and how to use the tools (primarily IDA and Vmware) to analyze
compiled binaries via a
"black-box" method. I wish they would offer it as a full course, but I haven't
seen it yet. The course
is great though because it gives you hands-on with the tools in an
assessment/investigative mindset
and because it is malware the apps themselves are typically small and manageable
by beginners. <snip for b/w>
Current thread:
- application security testing training Gaurav Kumar (Dec 02)
- RE: application security testing training pingywon (Dec 03)
- <Possible follow-ups>
- Re: application security testing training William Allsopp (Dec 02)
- re: application security testing training Alfred Huger (Dec 02)
- re: application security testing training Don Parker (Dec 02)
- RE: application security testing training Keifer, Trey (Dec 02)
- RE: application security testing training Keifer, Trey (Dec 02)
- Re: application security testing training Eirik Seim (Dec 09)
- RE: application security testing training Don Parker (Dec 03)
- Re: application security testing training Robert Foxworth (Dec 05)