Web Application Hacking presented at ITWeb Security Summit 2010

by Ian De Villiers (SensePost),

Tags: Web Security

URL : http://www.itweb.co.za/index.php?option=com_content&view=article&id=30301&catid=0&Itemid=178

Summary : An increasing need for custom applications and ever-changing business processes result in developers becoming a key component of all businesses’ IT staff. By extension, this means that developers should also be a core component of any company’s defence strategy.

However, in many cases developers have not been exposed to security practices. As a result of this, although they may be aware of many attack concepts and have a rudimentary grasp of the manner by which these attacks work, they may have never born witness to such an attack or realized the severity of the impact should such an attack be successfully executed against a deployed application.

The Web Application Hacking, presented by SensePost, is meant to alleviate this issue. It focuses on the most common shortcomings found within web applications, such as injection, cross site scripting, broken authentication and session management, insecure direct object references, security misconfiguration, invalidated redirects and forwards, and insufficient transport layer security

In this workshop, developers will be introduced to these attacks and exercises based on real-life scenarios observed by SensePost staff in the past ten years. Although it focuses specifically on vulnerabilities found within web applications, traditional thick applications are vulnerable to similar attacks.

As such, this workshop would be applicable to any developer as the mind-set and awareness instilled by the course would be of value to the developer of any type of application

Ian De Villiers: Ian de Villiers is an associate at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided training on web application security at prestiguous events such as the BlackHat briefings in the USA and spoken at security conferences on this topic – both locally and in Europe.