RE: WebAppSec Training Courses in UK

[securityarchitect () hush com]

With respect I think your description of security assessment training is woefully inadequate in todays world. 
Penetration testing is a snapshot at best and a time trial at worst. Having ran some teams for some well known 
consulting companies in the past I know all to well the business model and why its pushed so hard by them. Now working 
in corporate America I also see why we the clients (yeah we as in my company and others at like minded user groups who 
surprisingly do talk) are getting very frustrated with some security consulting companies and training companies. 

<rant>
Firstly there is little accountability. Its perceived as an art and not a science and therefore you really have little 
confidence that all of the things that should have been tested were. Secondly with 78% of attacks being from insiders 
(see FBI reports) , looking at the hard crunchy outside is of little value. Too many companies reports read  “High 
Vulnerability – Parameter tampering”. After the sticker shock you read between the lines and find out you can change 
the page color and they have made an incredible leap of faith from that to saying you “may” be able to login in with 
another users username. An indicator of parameter tampering in one place can lead to it in another. It’s the consulting 
fluff syndrome. You’ve all heard it before I am sure. “These sessionID’s don’t look random”. Well test the randomness 
if you have a math degree! If not look for the source of randomness and if /urandom is used then call it out. 
</rant>

Someone once used a great analogy. If you’re testing for cancer would you take someone’s temperature? Would you look at 
their eyeballs? Hell No! Get them on the cat scan machine. Even if the eyeballs are dilated and you can tell theyre 
ill, you still need to locate the problem (offending code) to treat it.

One of the things I liked when I spoke to the OWASP testing people was how they are going to cover what I think should 
be included in a web application security testing methodology. In a structured meaningful test you need to firstly sit 
down and understand the security requirements. How can you ever say there is a problem unless you know the requirements 
and how it should be? Secondly you need to understand the application architecture. That’s an assessment in itself! How 
are people using JNDI, LDAP JMS <insert architecture component of choice here>. People are finally realizing that XSS 
is easily cured with a proper architecture;-) You don’t fix it tactically, you fix it strategically. 

Then there is a technical assessment which is where most people think the pen test comes in. But think of this. My 
requirements have shown that sessions timeout after 20 mins and my architecture review shows I use the servlet 
container config (server.xml) to do it and the controller servlet to enforce it. I can sit there with a perl script and 
make a request every 21 mins to each url (dumb in my opinion) or I can parse web.xml and server.xml for the config. 
Ones a much more effective way to technically test the requirements have been implemented IMHO. A pen test may have a 
place in ensuring that stuffs functioning as it should be that’s where it belongs again IMHO, flamesOff(security, 
architect). 

And then there’s a security source code review, a web application security management review (what happens when it goes 
down, who reviews logs, what policy exists to manage the security of the application). 

Web application security assessment is far more than a pen test. They are prevalent because consulting companies can 
pull the wool of clients eyes with buzz words and hacker speak, not to mention the business model that works well for 
the consulting companies. If you pay 40K for a hit and run that’s good business. But if you fix the first hole and have 
to pay $40K for the next then its not economical and the client will soon feel ripped of. 

And why does this relate to training? Well people IMHO need to be trained that web application security assessment 
consists of many things not just how to own a web server in 20 mins or how to test for XSS from the outside. Assess 
strategically not tactically. Asses how security is baked into the development process and not just in a deployment 
scenario.


On Tue, 03 Dec 2002 01:54:14 -0800 Glyn Geoghegan <glyn.geoghegan () corsaire com> wrote:
> You also need to determine whether the training you want is
> 1/ Architecting secure applications
> 2/ Building secure applications
> 3/ Application Security Assessments (pentesting)
>
> Each has a very different target audience, and its own set of concerns. 
>
>
> Secure application architecture can involve broad concepts (e.g. 
> using
> proper input validation, building a tiered structure of least privilege) 
> or
> specifics (e.g. secure .Net design).  
>
> Building secure apps could start with pseudo code examples of important
> programming concepts and drill down into specific languages with 
> their pros
> and cons.
>
> Application Security Assessments could take an application slant 
> on more
> typical ethical hacking type courses.
>
> I believe @Stake, ISS and Defcom provide Application courses in 
> the UK.
> http://www.atstake.com/services/education/courses.html
>
> Glyn.
>
> > -----Original Message-----
> > From: Dan Cuthbert [mailto:dan () idsec com] 
> > Sent: 02 December 2002 21:57
> > To: phuc4 () hushmail com
> > Cc: webappsec () securityfocus com
> > Subject: Re: WebAppSec Training Courses in UK
> >
> >
> > i think the problem is finding a trainer that understands the 
>
> > problems associated with web applications and security. also 
> > the trainer that is providing the training would need to have 
>
> > one helluvah understanding of security\building applications 
> > and the whole process
> >
> > its a lovely idea... hmmm yeah i can see a owasp opportunity here
> >
> >
> >
> > * phuc4 () hushmail com (phuc4 () hushmail com) wrote:
> > > I have unsuccessfully been looking for any decent WebAppSec 
>
> > training 
> > > courses in the UK.
> > >
> > > It seems that courses are more on the networking side of things 
> or 
> > > when restricted to either specific technologies like J2EE 
> > or .Net but 
> > > I have yet to find a useful technology independent course 
> > that takes 
> > > in the wider picture as well as the grimey details.
> > >
> > > Any ideas?
> > >
> > > Maybe OWASP could start doing training courses?
> > >  
> > >
> > >
> > >
> > > Concerned about your privacy? Follow this link to get
> > > FREE encrypted email: https://www.hushmail.com/?l=2
> > >
> > > Big $$$ to be made with the HushMail Affiliate Program:
> > > https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
>
> ----------------------------------------------------------------
> ------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it 
> are
> confidential and intended solely for the use of the recipient(s) 
> only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------
> ------
> DISCLAIMER:  Any views or opinions presented within this e-mail 
> are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------
> ------
>
> Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 
> 7EF
> Telephone: +44(0)1483-226000  Email:info () corsaire com



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427