Secure Web Apps Training at Corporate College


Published on

Learn more at

Published in: Education
  • Be the first to comment

  • Be the first to like this

Secure Web Apps Training at Corporate College

  1. 1. The Security F.I.R.M. Program < From TSI @ Corporate College® >
  2. 2. Lead Instructor: David J. Kennedy Principal - Profiling and e.Discovery CISSP, GSEC, MCSE 2003 As the Practice Lead for Profiling & e.Discovery, Dave provides security solutions to companies and organizations worldwide. His team focuses on the technical side of security, performing penetration tests, source code review, web application security, data forensics, electronic discovery and wireless assessments. Before joining SecureState, Dave spent over five years working with elite security groups and the National Security Agency. He was also in the United States Marine Corp’s Intelligence Agency, where he worked with the National Security Agency to combat terrorism and eventually became an instructor for wireless security and data forensics. Your Host: Chuck Mackey, HISP Executive Director, TSI /Security F.I.R.M. Program As the Technology Solutions Institute’s (TSI) Executive Director, Chuck provides IT and Security program direction for Corporate College, a division of Cuyahoga Community College (Tri-C). He is the College’s former CISO where he created the Office of Safe and Secure Computing (OSSC). Chuck holds and MBA in Systems Management and carries the Holistic Information Security Practitioner (HISP) certification. Prior to joining Tri-C, he worked at Deloitte Consulting, Ernst & Young LLP, and Boeing’s (former) McDonnell Douglas military aircraft contractor.
  3. 3. JUST SOME OF THE F.I.R.M.* CONTENT *Foundation Immersion Reinforcement Mastery
  4. 4. Why Care About Secure Web Applications? • 7 out of 10 web applications were vulnerable to the use of a hyperlink with malicious (malware) code embedded in it. • 1 in 3 web apps aided attackers through information leakage: when a website unintentionally or unknowingly reveals sensitive information such as error messages or developer comments. • 1 in 4 was susceptible to content spoofing: technique used to trick a user into believing that certain content appearing on a web site is legitimate. (AKA: „Phishing‟) • 1 in 6 fell prey to SQL injection: an attack technique used to exploit web sites by altering program statements. • 1 in 6 employed insufficient authentication: occurs when a website permits an attacker to access sensitive content or functionality without having to properly authenticate. • 1 in 6 used insufficient authorization: when a website permits access to sensitive content or functionality that should require increased access control restrictions. • 1 in 7 allowed abuse of functionality: uses a website's own features and functionality to consume, defraud, or circumvent access controls mechanisms. Source: Web Application Security Consortium 2008
  5. 5. So, What is the Issue? •“With Web 2.0 technologies and other development platforms, applications are becoming increasingly powerful and complex. •With complexity comes a growing risk that security vulnerabilities will be introduced into applications. •These vulnerabilities lie within the code and can be exploited by anyone who gains access to your website or your software. •Developers are trained (if at all) to build complex and feature-rich applications, not safe and secure sites. •Increasingly, the software applications that millions of people and businesses depend on every day are being exposed to escalating risks in the form of sophisticated attacks and other threats. •Carnegie Mellon University‟s CERT (Computer Emergency Response Team) tabulates comprehensive data on the number of software vulnerabilities reported each year. Between 1995 and 2007, the data CERT collected and analyzed from numerous sources showed that the number of reported security vulnerabilities increased an average of 37 percent every year.” Source: The Case for Business Software Assurance, Fortify 2008
  6. 6. The New Security Frontier •The hacking community has shifted its efforts toward the application layer. •The hacking community is now heavily funded and supported by countries around the world. •With companies spending millions of dollars securing the perimeter with network firewalls, intrusion prevent systems, and other devices, hackers have realized the lowest hanging fruit lies in the applications themselves. •Vulnerabilities that exist in the code are being exploited to steal private data, conduct phishing attacks, deface web sites, and run any range of online scams. •Vulnerabilities have lead to breaches exposing over 212 million records over the last 3 years.
  7. 7. Come on, is it really that bad? • Gartner reports that 75% of breaches are caused by security flaws in software. • National Institute of Standards and Technology (NIST), reporting that 92% of vulnerabilities are in software. • The United States Air Force reports that the percentage of attacks directed at their applications (versus their networks) grew from 2 % to 36 % between 2004 and 2006. •InformationWeek reported that the number of hackers attacking banks jumped by 81% between 2005 and 2006, according to figures released at the Black Hat security conference in July, 2007. This increase is due to the increased availability of hacking toolkits and malware in the online underground. •Underground sites, such as, give attackers a blueprint of how to break into enterprise applications. •So, yeah, it‟s bad. Source: The Case for Business Software Assurance, Fortify 2008
  8. 8. What to do? • Establish a baseline where the greatest risk lies in the organization. •aka: Risk Assessment. • Define roles and assign responsibility for each task. • Educate developers on secure coding. • Identify automated solutions that can speed the process of securing applications. • Track metrics to gauge the success of each activity. ATTEND What: Secure Web Apps Development Training When: April 7* & 8**, 2009; 8:00 AM – 4:30 PM Where: Corporate College East (CCE) 4400 Richmond Rd., Warrensville Hts., OH 44128 *$299.00/person **$399.00 for both days Includes lunch, materials, ongoing access to the Security F.I.R.M. Micro-site Registration Information: Or Call Bill @ 216-987-2971 Limited Seating Completion Certificate Available