Increased demand for web apps hampered by lack of critical penetration

Inevitable growth of web apps leading to innovative new use cases yet many organisations still struggle with security implementation and testing.

“There are an increasing number of options around deploying IT applications from onsite through various forms of externally hosted public and private infrastructure but all of these options are absolutely dependent on the ability to answer a fundamental question – “How secure are your web applications?” explains Dave Shackleford, SANS Instructor and highly experienced security expert. “If you can’t answer the last question then where your critical applications resides is the least of your worries,” quips Shackleford who suggests that organisations concern over deployment models has confused a more pressing issue around secure application design and testing.


Shackleford is the founder of consultancy Voodoo Security and senior instructor, author, and analyst with SANS. He has consulted with hundreds of organisations in the areas of security, regulatory compliance, and network architecture and engineering. Shackleford has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security.


“If you look into the detail at major breaches, it is the holes in web apps that have resulted in the theft of millions of credit cards alongside major financial and reputational damage for hundreds of enterprises,” says Shackleford, “Irrespective of where web apps reside, organisations must assume that vulnerabilities exist or will appear as platforms evolve and find and fix these flaws before the bad guys do.”


Shackleford stresses that many of the basic issues such as building applications with buffer-overflow and SQL injection vulnerabilities are still prevalent and are still widely exploited by hackers.


Shackleford will be teaching the SANS SEC542: Web App Penetration Testing and Ethical Hacking course as part of SANS Tallinn 2014 in Estonia this September. The course is aimed at helping web site designers, architects, and developers understand and learn web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regime. Through detailed, hands-on exercises and training, attendees learn a four-step process for Web application penetration testing.


The course kicks off with “understanding the attacker's perspective” as the key to successful Web application penetration testing and thoroughly examines Web technology, including protocols, languages, clients, and server architectures, from the attacker's viewpoint. The course then progresses through a logical set of phases including ‘Reconnaissance and Mapping”, “Discovery” and “Exploitation”. The final day offers a “capture the flag” challenge allowing students to explore the techniques, tools, and methodology learnt during the course against a realistic intranet application. “The goal is to learn the skills and processes used by an attacker to become better defenders,” Shackleford adds.
 

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.