Re: application security testing training

["Robert Foxworth" <rfoxwor1 () tampabay rr com>]

A new book has just appeared, called Gray Hat Hacking, and has
pretty good technical detail on some of these issues. Osborne,
over 400 pages, cost $50, 5 authors Copyright 2005.
ISBN 0-07-225709-1.  I have no connection with this book other
than as a reader.

- Bob  (GSEC)



> SANS Track 4 is not bad but has little time devoted to buffer
overflows and
> format string
> attacks. Not to metion other like minded phenomenom. It is very hard
to find
> pertinent
> training at this level really. Not only that but as Trey pointed out
you need
> some prior
> knowledge before attending this type of training. I would certainly
counsel
> anyone to check
> with the vendor for the knowledge base required to fully benefit from
this type
> of specialized
> training.
>
> Cheers,
>
> Don
>
> --------------------------------------------------------------
> Don Parker, GCIA GCIH
> Intrusion Detection & Incident Handling Specialist
> Bridon Security & Training Services
> http://www.bridonsecurity.com
> voice: 1-613-302-2910
> --------------------------------------------------------------
>
> On Thu, 2 Dec 2004 16:50 , 'Keifer, Trey'
<Trey.Keifer () fishnetsecurity com> sent:
> > While having a solid foundation in both the tools (IDA Pro, softice,
gdb) and
> concepts of both
> > programming languages (C/C++/.NET) and systems architecture(Assembly
and i386
> instruction sets) will
> > certainly give you the ability to perform these types of assessments,
I feel it
> is unrealistic to
> > expect someone to be able to pick up that knowledge in a timeframe
relevant to
> apply it to themselves
> > or their work immediately. Either you have studied those subjects in
the past
> and you are going to put
> > them together now with security in mind or someone is going to pay
you to work
> on more basic
> > assessments and pick the rest up as you can. For individuals with an
immediate
> need to learn the
> > techniques and apply it to their job they need to have an environment
they can
> ask questions and be
> > provided guidance in directions to go when they get stuck. (which can
take long
> hours and lots of
> > creativity to overcome when self-teaching)
> >
> > SANS Institute offers a supplemental "break out" course by Lenny
Zeltser (one of
> the only GIAC GSE's
> > in the world right now) on Reverse Engineering Malware. It teaches
both reverse
> engineerig
> > fundamentals and how to use the tools (primarily IDA and Vmware) to
analyze
> compiled binaries via a
> > "black-box" method. I wish they would offer it as a full course, but
I haven't
> seen it yet. The course
> > is great though because it gives you hands-on with the tools in an
> assessment/investigative mindset
> > and because it is malware the apps themselves are typically small and
manageable
> by beginners.
>
> <snip for b/w>