OWASP AppSec DC 2012/Training/Application Source Code Analysis - Discovering Vulnerabilities in Web 2.0, HTML5 and RIA

Description
Course Length: 1 Day

Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities across Web 2.0, RIA and HTML5. We will be covering analysis techniques, with tools, for assessment and review of enterprise application source code. It is imperative to know source code review methodologies and strategies for analysis. The emphasis of the class would be to develop a complete understanding of source code analysis, techniques and tools to address top set of vulnerabilities. Knowledge gained would help in analyzing and securing next generation enterprise applications at all different stages - architecture, design and/or development. The course is designed and delivered by the author of "Web Hacking: Attacks and Defenses", "Hacking Web Services" and "Web 2.0 Security - Defending Ajax, RIA and SOA", bringing his experience in application security and research to the curriculum.

Student Requirements
Class will be demo driven. Laptop Required: No

Objectives
Audience: Technical Skill Level: Basic

Objectives are as under,  Application Source Code Assessment and Methodologies for next generation applications running on Web 2.0 libraries, HTML 5 stack and Adobe platforms. Detecting OWASP Top 10 and CWE Top 25 Errors and vulnerabilities - mapped to newer stack. Enhancing your ability to understand Enterprise Application Framework and Structures with newer context. Dealing with different protocols and structures in enterprise environment for vulnerability assessment. Detecting the state of source code for attack vectors like DOM based XSS, Flash/Flex based XSS, SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Path traversal, Session hijacking, LDAP/XPATH/Command injection, Buffer overflow, Input validation bypassing, Database hacks, Ajax exploits, Web Services attack vectors etc. Using tools and writing scripts for source code analysis and vulnerability mapping Code review methodologies by Spidering the code, enumerating blocks and identifying modules. Scanning for vulnerabilities and analysis by Function and Method signature mapping, entry point identification, data access layer calls, tracing variables and functions. Decomposing assemblies to discover other security vulnerabilities and structured analysis. Key security aspects and Domains for enterprise security like Authentication, Authorization, Session management, Crypto usage and Error handling. Defense plans and strategies, Secure objects, functions and wrappers Detecting vulnerabilities in advanced technologies like Ajax, Rich Internet Applications (RIA) and SOA XML and Web Services security for SOAP, XML-RPC and REST base attacks and secure coding. Client side coding and security for Ajax, HTML5 and JavaScript analysis, Flash based application reviews and Browser security. 

Instructor
Shreeraj Shah,B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space.

He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Shreeraj was instrumental in product development, researching new methodologies and training designs. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and managing projects Blog: http://shreeraj.blogspot.com Twitter: @shreeraj