Twin Cities Quality Assurance Association

  • Home
  • 1-Day Security Testing Awareness

1-Day Security Testing Awareness

  • 15 Sep 2017
  • 8:00 AM - 5:00 PM
  • 1550 Utica Avenue S, Suite 130, St. Louis Park, MN 55416
  • 24

Registration

  • If you are not an Individual Member or the employee of Member Corporation, please register using this option.
  • If your company is a Corporate Member of TCQAA, please register using this registration type.
  • If you have joined as a Member and paid dues for 2017, you may register as a member and pay $50 less than the public purchase price!

Registration is closed
1-day Security Testing Awareness offered by TCQAA and taught by nVisium  
 
Date: Friday, September 15th, 2017  
 
Registration Deadline: Friday, September 8th, 2017.  Payment must be made no later than 9/8/17.
  
Address: 1550 Utica Ave S. (MoneyGram Building), Suite 130, Minneapolis, MN 55416, USA  
 
Time: 8AM - 5PM  
 
Fees:
  • TCQAA Members: $400
  • Non-Members: $450
Synopsis:

nVisium’s General Web Application Security Training course contains topics related to all aspects of an application’s ecosystem that impact security. The course blends lecture and practical exercises in an interactive environment to enhance the learning experience. Code samples provided in pseudocode are framework independent in order to make them easy to consume for testers and security professionals at almost any level. This course focuses on helping Quality Assurance teams test for security issues through manual and automated techniques. 

A well-trained staff is vital to maintaining a secure enterprise environment. With the rapidly increasing amount of threats facing organizations, a well-trained team can be the difference between losing sensitive corporate information and being protected from an attack.

nVisium will teach the TCQAA Students how to identify and exploit common web application vulnerabilities and the risks they present if present in an application. Manual and automated techniques will be utilized to evaluate the security posture of several web applications. 

nVisium’s training environment is accessible via any modern web browser and provides students with access to their training environment, which comes preinstalled with all necessary software. nVisium’s technology stack removes the hassle, energy, and time typically associated with training environment setup. There is no need to install additional software, browser plugins, or adjust firewalls, attendees only need to navigate to a website and instantly begin working in their training environment. 

The following list summarizes the activities to be performed during the training:

  • Train attendees on general application security concepts utilizing real life scenarios from trainers’ experience and industry standards. 
  • Teach the team how to implement tools and techniques for evaluating the security of web applications. 
  • Discuss real-world examples of insecure application failures and fixes. 
  • Answer questions and provide recommendations for implementing application security in the client's environment. 

Each section will have anecdote to enhance the importance as well as hands on activities on how to use Burp Suite (free application testing tool) in their browser to detect vulnerabilities. Students do not need to have prior knowledge on Burp Suite or coding. 

Outline General Web Application Security 

Introduction 

  • Overview of Course Content and Format 
  • Accessing the Lab Environment 
  • Setup of Necessary Tools 

Tools for Quality Assurance 

  • Burp Suite Intercepting Proxy 
  • Introduction 
  • Configuration 
  • Usage 
  • Firefox 

Cross-Site Scripting (XSS) 

  • An Overview of Cross-Site Scripting 
  • XSS Types 
    • Reflected 
    • Stored 
    • DOM 
    • Self 
  • XSS Context 
    • HTML 
    • HTML Attribute 
    • JavaScript 
    • CSS
    • Identification of XSS 
  • Real-World Stories 

SQL Injection 

  • An Overview of SQL Injection 
    • What is SQL Injection? 
    • Where does it Manifest itself? 
    • Basic Mitigation Concepts 
    • Areas where Mitigation May Fail 
  • Detection of SQL Injection 
    • Error-Based 
    • Blind 
  • Exploitation of SQL Injection 
    • Manual 
    • Automated with SQL Map 
  • Real-World Stories 

Cross-Site Request Forgery (CSRF) 

  • Overview of CSRF 
    • What is CSRF? 
    • Why is it Dangerous? 
  • Detection and Exploitation of CSRF 
  • Verb Tampering 

Security Misconfiguration 

  • Verbose Error Messages 
  • Exposed Administrative Interfaces 
  • Insecure HTTP Response Headers 

Authentication System 

  • Password Complexity 
  • Enumeration 
  • Lockout 
  • Insecure Forgot Password 

Authorization – Insecure Direct Object Reference 

  • What are Direct Object References? 
  • Detection via Dynamic Analysis 
  • GUIDS vs. Integers 

Authorization – Function Level

  • Identify Techniques to Find Exposed Functions 
  • An Overview of Google Dorking and the GHDB 
  • A Discussion of Real-World Scenarios 

Sensitive Data Exposure 

  • Insufficient Anti-Caching Headers 
  • SSL/TLS 

Conclusion and Recap


© Twin Cities Quality Assurance Association (TCQAA) a 501c(3) organization. All Rights Reserved.

Powered by Wild Apricot Membership Software