OWASP AppSec USA 2013

2 Day Class running Monday Nov 18 and Tuesday Nov 19

Can you answer these questions? • Are your web applications secure?
• Do you know how to lock down new web applications when they are placed into production?
• Do you know if/when attackers are trying to break into your site and steal data or cause other harm?
• Do you know if/when attackers are attacking other web application users?

If you can not confidently answer yes to all of these questions then this is the class for you!  This 2-day bootcamp is based on the popular book "Web Application Defender's Cookbook: Battling Hackers and Protecting Users" written by the class trainer Ryan Barnett.  Copies of the book will be provided to all participants and will be used as the basis for the courseware material.  The class is tailored for web application defenders (operational security personnel) who are charged with protecting live web applications.  The training will provide answers to these questions and increase your ability to identify and thwart malicious activities within your web applications.
You will learn the following skills: • Implement full HTTP auditing for incident response
• Utilize virtual patching processes to remediate identified vulnerabiities
• Deploy web tripwires (honeytraps) to identify malicious users
• Detect when users are acting abnormally
• Analyze uploaded files and web content for malware
• Recognize when web applications leak sensitive user or technical data
• Respond to attacks with varying levels of force

Tools:
Each student will need to bring their own laptop with VMware installed.  For hands-on lab exercises, we will utilize the OWASP Broken Web Applications VM project as it already has many vulnerable target web applications.  OWASPBWA also includes the cross-platform (Apache, IIS and Nginx), open source ModSecurity Web Application Firewall (WAF) and OWASP ModSecurity Core Rule Set (CRS) which is the tool that we will be using for our labs exercises to implement our defenses.