Slashdot Mirror

← Back to Stories (view on slashdot.org)

Application Security Testing and Training?

Posted by ryuzaki0 on from the test-it-all-until-it-breaks dept.

slashDoug asks: "I am a career tester that now has an opportunity to bring application security testing in-house in the form of training. We have a network team that already does network, penetration testing and hardware hacking to keep our web infrastructure and sites secure, but I am interested in focusing on the security flaws of our designed web applications. I have read through a couple books on the subject which have different insights ('How to Break Software Security' by James Whittaker, and 'Writing Secure Code' by Howard and LeBlanc) and would like to bring that kind of knowledge to the other testers in my group. Does anyone have any recommendations on training groups that I could bring in-house to train a team of software testers? Your thoughts and recommendations are greatly appreciated!"

13 comments

  1. OWASP, Matching the training to the individual by dancornell · · Score: 4, Interesting

    For background information I highly recommend the Open Web Application Security Project http://www.owasp.org/ There are local chapters all over the world that should have regular meetings - I help run the San Antonio chapter.

    The important thing is to target any training so that it matches the background of those being trained. I have done work with with IT Audit groups and they wanted to learn how to do application security assessments themselves. Given their background this simply was not in the cards so we instead focused their attention on how to audit the assessment process to make sure that tools were being used properly and the outcomes of the assessments was being addressed by the development teams. Training for network security folks can include how to run scanning tools and interpret the results, as well as how to do some manual testing of their own. Developers can obviously learn about the assessment process, but will ultimately need training on how to design and code secure systems. In any case, the important thing is to match the training being given with the job responsibilities and capabilities of those being trained.

    As for groups that do this sort of training, obviously I am biased, but my company Denim Group http://www.denimgroup.com/ does application security security training for developers, auditors, QA and network security folks. McAfee and Symantec offer courses as well.

    Thanks,

    Dan

    1. Re:OWASP, Matching the training to the individual by Anonymous Coward · · Score: 1, Insightful

      Just a follow-up on the OWASP stuff -- going through webgoat might be an interesting exercise. It's a hands-on approach to how web security might be compromised by more malicious types. You're probably more advanced than any of the stuff but if nothing else, it's a good refresher course to reinforce what you've learned.

    2. Re:OWASP, Matching the training to the individual by licamell · · Score: 1

      Man, I hope your company isn't paying hosting by bandwidth... or your bosses might be a little upset about how you just slashdotted your own page. I guess that's the price of "Free" advertising on slashdot.

    3. Re:OWASP, Matching the training to the individual by dancornell · · Score: 1

      Site is up. Apparently the service provider who provides our DNS is being DDoS'd right now. Super...

      --Dan

    4. Re:OWASP, Matching the training to the individual by charlesnw · · Score: 1

      They obviously didn't use your services. Just kidding :)

      --
      Charles Wyble System Engineer
  2. Put them in a boxing ring. by Anonymous Coward · · Score: 0

    It's the only practical method.

  3. How quaint by Profane+MuthaFucka · · Score: 0, Offtopic

    Ritual combat to settle an honor debt. Next time I hope they use pistols.

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
    1. Re:How quaint by Profane+MuthaFucka · · Score: 1

      That's not offtopic. I am commenting SPECIFICALLY on the article.

      --
      Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
  4. Career tester? by nekoniku · · Score: 3, Funny

    I'd like to be a career tester! First I'd like to test being a lion tamer! Then maybe a fighter pilot...

    --
    "It's a wonderful idea. But it doesn't work." -- Tad Danielewski
    1. Re:Career tester? by plover · · Score: 1

      Maybe you don't want to go straight into testing Lion Taming. Perhaps you should work at it by testing careers in steps, say, via Banking.

      --
      John
  5. No! by XanC · · Score: 1

    No, I don't want to wait! At nine o'clock tomorrow I want to be in there, taming!

  6. Training from real experts in software security by thedletterman · · Score: 1
    Unfortunately for you, most of the real experts in software security are currently facing jail time.

    --
    Any fool can criticise, condemn, and complain, and most fools do. - Benjamin Franklin
  7. Secure coding classes, not testing but... by bourne · · Score: 2, Informative

    SANS, a well-respected hands-on security training organization, has several courses on application-level security - Securing Oracle, Web Application Security Workshop, Secure Internet Presence LAMP, and .Net Security among them. These are aimed at programmers, not testers, but would be beneficial to anyone doing code audits and blackbox testing of applications.

    Not quite what you asked for, but maybe something you'll want to look into.