Information Security Conference For Students!

Information Security Conference For Students!

Topics: Basic Web Application Security And Ethical Hacking

Who Should Attend :

* BS Computer Engineering students

* BS Computer Science students

* BS Electronics and Communications Engineering students

* BS Information Technology / Information Management students

* Faculties, System Administrators, IT Personnel

* Interested individuals

Training Package:

    * Soft Copy of slides to be send via email
    * Certificate of Completion
    * Certificate of recognition for the school
    * And a chance to win a RAFFLE!!!
    * AM/PM Snacks

Schedule:        September 24, 2011 (Saturday)

Duration:          1 Day

Time:               8:00 am to 5:00 pm

Fee  :       600.00 only!!

 Venue  :           PDAF Building, 407 Senator Gil Puyat Avenue 1209

 Seminar Fee:   600.00 students and professors only!

 Topic 1: Web Application Security

Morning Session

 Course Outline

 1.     Application Security Fundamentals and Principles

- The evolution of applications

- Threats to an application

- Application security trends

- The spectrum of application security attacks


2.     Application Components and Protocols

- Understanding multilayered application architecture

- Programming languages used in applications - J2EE, .NET, PHP, etc.

- Inside HTTP, HTML forms and browser interaction

- Introduction to tools useful for testing applications

- Web Server configuration

- Web server vulnerabilities

- Fingerprinting web servers and application servers

- Security controls pertaining to web servers and their deployment


3.     Application Footprinting, discovery and profiling applications

- Host and Domain discovery

- Discovering web applications and interfaces

- Discovering the functional structure of applications - the hacker's viewpoint

- Advanced techniques - discovering Web services and Web applications

- Profiling Web services and applications

- Ajax fingerprinting

- Profiling Ajax applications

- Server-side entry point detection


4.     Application Attack Vectors

- Mapping assets to attacks

- Sifting through HTML source

- Forcing application layer errors

- Information leakage through error messages

- Source code disclosure

- Input tampering and input validation attacks

- SQL injection and attacks on the database

- Injecting malicious code and remote command exec

- Accessing the underlying file system

- Brute forcing HTTP authentication

- Brute forcing HTML form authentication

- Session Hijacking

- Cross Site Scripting (XSS) attacks

- Cross Site Request Forgery (XSRF) attacks


5.     Threat Modelling

- Threat analysis

- Architecture review

- Technologies and Source Code

- Threat matrix

- Security controls for code

- Design analysis and review


6.     Assessment methods

- Blackbox

- Whitebox

- Analyzing configuration and deployment issues

- Reconnaissance and Vulnerability Assessment

- Fingerprinting Web servers and Architectures

- Defense strategies - Minimizing the window of opportunity

- Leveraging Web mashups and search APIs


7.     Application Attack countermeasures

- Security by design

- The importance of application security controls in the software development life cycle

- Secure coding practices

- Protecting data at rest and data in transit

- Client side security


8.     An Introduction to Advanced Application Architectures

- Refreshing classic application security threats and vulnerabilities

- Evolution of application architectures

- Web services

- SOAP and AJAX

- Security model for next generation application architectures

- Web Services and SOAP

- XML-RPC

- AJAX enriched clients

- New tools and techniques for attacking advanced application architectures


9.     Advanced Web attacks

- XPATH injection

- XML and Schema poisoning

- Blind SQL injection

- XSS proxy a