Analyzing and Securing Enterprise Application Code by Blueinfy (Shreeraj Shah & Vimal Patel)

Date: 14.05.2009

Trainers:

Shreeraj Shah (Founder and Director)
Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Vimal Patel (Founder and Director)
Vimal Patel is founder of Blueinfy, a company that provides products and services for application security. Vimal leads research and product development efforts at Blueinfy. Prior to founding Blueinfy, he held position of Vice President at Citigroup where he led architecture, design and development of various financial applications. Vimal holds Masters in Computer Science. Vimal has over a decade of experience and expertise in many technologies. His experience ranges from design of complex digital circuits and microcontroller based products to enterprise applications.

Overview:

Enterprise application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to IBM labs, there is a possibility of at least one security issue contained in every 1,500 lines of code. To avoid these sort of security issues one needs to follow sound secure coding and design principals. It is also imperative to know code review methodologies and strategies to assess the quality of code before deploying to the production. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum.

Secure Coding course for Applications is hands-on class. The class features real life cases, hands one exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the flaws in design and coding practices. The class would then focus on what are the proper ways of writing secure code and analyze the code base.

Course outline:

Following topics will be covered in detail with enterprise application perspective:

• Enterprise application security fundamentals, Enterpirse application evolution, Layered threats, Threat models and Risks, Attack vectors and Hacker’s perspective.
• Application infrastructure overview, Protocols and Coding, Tools for analysis, Server layer components, Browser frameworks and enterprise security
• Enterprise Architecture overview, .NET and J2EE application frameworks and security, Application layers and components, Resources and interactions, Enterprise RPC and API calls.
• Advanced Web Technologies and Web 2.0, Ajax and Rich Internet Applications (RIA) security issues and Web Services and SOA.
• Application attack vectors and Secure Coding, SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Path traversal, Session hijacking, LDAP/XPATH/Command injection, Buffer overflow, Input validation bypassing, Database hacks, Ajax exploits, Web Services attack vectors, Decompiling assemblies and many other security vulnerability detection and analysis
• Principals of Secure Coding, Threat Modeling, Fundamentals, Controls and Strategies. Analyzing and Securing Enterprise Application Code Blueinfy Solutions Pvt. Ltd.
• Key security aspects and Domains for enterprise security like Authentication, Authorization, Session management, Crypto usage and Error handling
• Defense plans and strategies, Secure objects, functions and wrappers
• Code review methodologies by Spidering the code, enumerating blocks, identifying modules.
• Scanning for vulnerabilities and analysis by Function and Method signature mapping, entry point identification, data access layer calls, tracing variables and functions.
• Applying validations across enterprise application by Input validations, Output validations, Data access filtering, and Authentication validates.
• XML and Web Services security for SOAP, XML-RPC and REST base attacks and secure coding.
• Client side coding and security for Ajax and JavaScript analysis, Flash based application reviews and Browser security.
• Understanding of various tools and frameworks with hands-on.

Hands-on:

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.

workshop cost:

300 EUR Registration on workshops 2009

Workshops of Shreeraj Shah & Viml Petel will take pace in Fortuna Bis Hotel, 25 Pilsudskiego Street in Krakow. It will start at 9am on 14th of May.

You can check localization of the hotel clicking on this link

Lunch is included.

To get there with public transport you can take:

• buses: 103,109,114,124,134,144,152,164,169,173,179,192,194,292,409,512,608,610,902; get off at Cracovia bus stop
• trams: 15 and 18; get off at Cracovia bus stop