Back

Hands-On OWASP Top 10

Sunday, October 27

8:30 AM - 5:30 PM

Location: Asia 1

Speaker(s)

Kevin Johnson, CISSP

CISSP | CEO
Secure Ideas, LLC

For around 15 years OWASP has released the Top 10 Most Critical Web Application Security Risks list. It has been the basis of much development and consternation, but do you really understand what each of these issues and their corresponding controls mean? As a developer, do you know how to prevent these issues? As a security professional, do you truly know what the proactive controls are and how to evaluate their effectiveness? In this two-day hands-on course brought to you by the (ISC)2 Professional Development Institute, Secure Ideas will walk attendees through the various items in the latest OWASP Top 10 released in 2017 and the corresponding proactive controls. Students will leverage modern applications to explore how the vulnerabilities work and how to find them in their own applications.

Required Equipment: Laptop with 4-8GB of RAM, 50GB of space and a wireless NIC and VMWare (workstation, player, or fusion) or Virtualbox. Please see additional details below.

Course Outline:
• Introduction
• OWASP Top 10 Critical Web Application Security Risks
• Development & Testing Methodology Overview
• Test Lab & Class Targets
• A1: Injection
• SQL Injection
• File Include
• Command Injection
• A2: Broken Authentication
• A3: Sensitive Data Exposure
• A4: XML External Entity
• A5: Broken Access Control
• A6: Security Misconfiguration
• A7: Cross-Site Scripting (XSS)
• A8: Insecure Deserialization
• A9: Using Components with Known Vulnerabilities
• A10: Insufficient Logging and Monitoring
• Proactive controls
• Conclusions

Who Should Attend?
Security professionals wanting to explore the OWASP Top 10 Most Critical Web Application Security Risks and learn more about proactive controls and how to evaluate their effectiveness.

Requisite Skills:
Participants should be familiar with security concepts and bring the required equipment in order to effectively participate in the hands-on activities. By bringing the right equipment and preparing in advance, you can maximize what you will see and learn as well as have a lot of fun.

Detailed Equipment Requirements:
IMPORTANT - BRING YOUR OWN LAPTOP WITH WINDOWS

To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network. It is the students' responsibility to make sure that the system is properly configured with all the drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion.

Windows
The course includes a VMware image file of a guest Linux system that is larger than 12 GB. Therefore, you need a file system with the ability to read and write files that are larger than 3 GB, such as NTFS on a Windows machine. The course also includes a VMware image file of a guest Windows 10 system, which will enable you to perform labs on this VMware guest instead of on a host system.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

We also require that no enterprise group policies be applied to the system. These policies can and will interfere with our labs.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

VMware
You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have VMware Workstation installed on your system prior to coming to class.

You can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website.

If you are using a Macbook or Macbook Pro you will need VMWare Fusion.

We will give you a USB full of attack tools to experiment with during the class and to take home for later analysis. We will also provide a Linux image with all our tools pre-installed that runs within VMware Player or VMware Workstation.

Linux
You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements:
•x64-compatible 2.0 GHz CPU minimum
•USB Port
•8 GB RAM or higher required 16 GB strongly recommended
•Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
•USB Wireless adapter required. We recommend the following: https://www.amazon.com/s/url=search-alias=aps&field-keywords=RALINK+USB+WIFI+RT5370
•70 GB available hard drive space
•Any Service Pack level is acceptable for Windows 10 or 8.

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. (ISC)² is not responsible for your system if someone in the class attacks it in the workshop.