With that in mind I’ve collected up the links I’ve used over the past few months into a single post for those that are interested in setting up an SAP test lab and playing about with it.

These trial versions are slightly limited as they don’t offer the ability to update them to the latest build (which is an issue when it comes to security research). They also rely on MaxDB (formerly SAP DB) by default (although I believe one uses IBM DB/2 just for fun). They might be able to be configured to use external databases (Oracle etc…) but with this you’re on your own! I’m as far from a SAP expert as you could probably find.

I’ve tried to break things down by platform as one of my aims was to get and install a few different versions for tool testing. These trials are memory hungry, CPU hungry at times, and need a lot of disk space (>42GB for a single VM).

Note: SAP isn’t for the faint of heart, and getting things running 100% is never going to be easy! Don’t say I didn’t warn you

You’ll need to sign-up for a free SAP Community Network (SCN) user account to download most of these files. This will also give you access to the forums.

Linux

SAP NetWeaver 7.0 – Trial Version on Linux –> DOWNLOAD

(N4S) SAP NETWEAVER 7.0 – SAP WEB APPLICATION SERVER ON LINUX (DVD) –> REQUEST DVD

Windows

SAP NetWeaver AS ABAP 7.02 SP6 32-bit Trial –> DOWNLOAD

Step by Step Installation of SAP NetWeaver 7.01 SR1 SP3 ABAP Trial Version in Oracle VirtualBox Part 1/3 –> GUIDE

SAP NETWEAVER 2004S ABAP TRIAL VERSION – TROUBLESHOOTING GUIDE  –> GUIDE

Notes: A few points you might want to check before beginning with the install.

• RAM
  • I got away with running this on 1.5GB of RAM, but it really needs >2GB to run smoothly
• SWAP
  • Don’t even bother starting your install without >4GB of swapfile initialized. The installer will only complain about the lack of swap after you’ve configured the whole install… you’ve been warned!
• Disk Space
  • Lots…. I made a VM with a 50GB second disk purely for the MaxDB
• JRE
  • It might look like things are all working fine with 1.6.x but I only had issues with the system afterwards or during install (crashed my vmware fusion). Stick to JRE 1.4.x  latest (worked fine for me).

VMWARE (LINUX SLES)

(CTB) SAP NetWeaver 7.0 – Java Trial Version on Linux – VMware Edition –> DOWNLOAD

Novell Link to CTB SLES images –> DOWNLOAD

GETTING STARTED SAP NETWEAVER 7.0-JAVA-VMWARE-TRIAL –> GUIDE

SAP ON LINUX: TEST DRIVES – TIPS AND TRICKS –> GUIDE

Notes: This VM is meant to be a sealed unit where you access it from a second system for management etc. I had issues getting the Visual Administrator to connect, and also getting the config tool running on the local system.

Some guides reference the n4sadm user (these guides are written for the pure Linux version of SAP and not the VM version). You might find you have more luck using the ctbadm when the guide says n4sadm.

Oh and the root password is “sap123″

Licensing

This page seems to be the main hub for what SAP now call “minisap” (originally TRIAL version).

You’ll need to run some commands on the SAP install and extract the resulting codes to request a key through this link.

http://www.sap.com/minisap/

LINKS:

• http://forums.sdn.sap.com
• irc.freenode.net #SAP

This 2-day class is designed to “show students how to apply the incredible capabilities of the Metasploit Framework in a comprehensive penetration testing and vulnerability assessment regimen, according to a thorough methodology for performing effective tests”. With Ed Skoudis and John Strand behind the class I had high hopes for something that really goes into the depths of Metasploit.

Day One

The first day started off with a gentle introduction to Metasploit and the MSF project in general, before diving into msfconsole and covering the required commands and options. Even though I’ve taught a few Metasploit workshops, there were a few gems here that I’ve not played with before. Small things (like the connect feature for example), but still gems non the less.

After covering the “basics” the class focuses on using Metasploit in a 4-phase penetration test (Recon, Scanning, Exploitation, and Post-Exploitation).

By using the Recon phase as the basis for the afternoons labs, a number of the Metasploit auxiliary modules are discussed, with labs on dns_enum, port scanning, databases and db_autopwn.

The obligatory meterpreter overview was given, as well as some more detailed discussion about meterpreter scripts and their uses.

Day Two

Day two concluded the scanning section from the previous day (demo of netxpose scan and import), before moving on to the exploitation phase.

To provide an complete overview of exploitation, everything some client-side (file format, and browser_autopwn) through to Social Engineering Toolkit (SET) and remote network exploitation was covered in varying detail. Coverage of some of the additional Metasploit command-line tools (msfpayload, msfencode) was included, but wasn’t explored in too much detail outside of a few specific examples.

The labs in this section of the book are well written and really give a good feel as to how specific protections can be bypassed. It was also good to play with SET and sqlmap using MSF payloads. Surprisingly the File Format lab wasn’t on Adobe PDF exploitation, but on Office macros… which makes a change

Moving into the final stages of the class we covered some of the inner workings of Post-Exploitation with meterpreter scripts and some irb scripting. Although the labs gave the chance to write a simple meterpreter script and interact with the irb shell, I would have liked to spend some more time covering Ruby basics and going a little more in-depth. Still, you can’t have it all!

To finish things off a number of sniffer and database modules were used to demonstrate Metasploit’s password sniffing/extracting capabilities.

Wrapping things up was a short discussion of Karmetasploit and the Metasploit web integration.

Conclusion

Overall I really enjoyed this class, even if it wasn’t quite at the “kung-fu” level the name hints at. I was a little disappointed that the Metasploit version used for the class (3.4.0) was so outdated, but I understand the problems keeping a course like this up to date, so fully understand the choices.

This class is certainly a winner if Metasploit isn’t your daily driver! If you get up everyday and pentest using Metasploit, then you’re not going to get the full effect of this class. Then again, there are some real gems in here if you take the time to look for them. I’ve taken a few hints and tips that I’ll be using in the future, so I’m sure there’s something for almost everybody here.

If I had my way, I’d slim down some of the “introduction to…” stuff, and spend a little more time covering Ruby basics and bring in some of the more advanced topics, like module writing (simple modules naturally) and maybe something on Railgun / Racket.

This class certainly motivated me to get moving on some of my (long standing) Metasploit projects. Since getting back I’ve finished up my adduser payload modifications as well as a number of SAP auxiliary modules I had waiting to be finished. So I guess that makes it a resounding success!

If you attend the class in 2011 please let me know what you think… I’m interested to see the transformation of the class over time, as Metasploit is ever changing!

Quote of the class: “Shine on you crazy diamond!”

—

SANS SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking is a new class that was run for the first time at SANS London 2010. The class is designed to cover the ground between the SEC560 Network Penetration Testing class and the SEC709/710 that Stephen Sims has been running for a while now (Exploit development).

Day One (Advanced Penetration Testing Essentials)

Day one started off hot and heavy with some discussion of what the authors consider “advanced” penetration testing really is. Unlike some of the penetration testing we’re used to, this class seems to come at things from a slightly different viewpoint at times. “Product Penetration Testing” is an area that maybe not all testers are currently involved in, but it’s certainly something that larger internal penetration testing teams are starting to build into their testing regimes.

The first morning was spent laying the foundations of knowledge required to understand the topics coming in days three through six. This included a lot of theory on OS protections, compilers, shellcode and an (all too brief) introduction to SCAPY. The final segment of day one was spent looking at the Sulley fuzzing framework and running through a number of fuzzing labs.

Comments: Although this day was a little heavy on the theory, it was needed. With that said though, I’m not sure throwing these concepts in on day one was needed. I’d also like to have seen a longer SCAPY discussion with at least 1 lab, but we can’t have everything now can we

Day Two (Network Attacks for Penetration Testers)

Day two was certainly a step back from day one. At the pace of the first day, I could imagine the second day being much more complex, but to be honest that wasn’t the case at all. Day two discussed network based attacks on technologies like NAC, VLANs and routing protocols. The fun here was actually getting to perform some of the attacks in a lab environment. Normally these attacks are discussed but not done due to hardware limitations. Although not everything was possible, it was certainly fun playing with VLAN hopping instead of just covering the theory.

Day two also introduced some discussions of MITM attacks (ettercap) and the use of tools like Evilgrade in penetration testing. The final bootcamp lab was back to the day one topics to perform file format fuzzing with WinDBG / CDB.

Comments: Although it was fun to play with some VLAN hopping exercises, I would have liked to have seen a Cisco router or two (nothing too flashy/expensive) for some live demos/labs on the routing protocol material.

Day Three (Attacking the Domain)

Day three was somewhat of an oddity for me. Although I enjoyed it, I thought the material covered was more akin to a 500 level class for the most part. That’s not to say it wasn’t useful, but the difficulty level was certainly lower than the rest of the course (maybe this should be day one!).

Day three centered around attack Windows Domains and Database systems and ran through the phases of testing from enumeration through to attacking systems. Although some of the concepts were simple ones, the information and techniques shown were interesting and maybe not as well-known to all testers. Labs included RDP MITM attacks with CAIN as well as attacks on MS-SQL.

The day finished up with some information on Restricted Desktops, and a short CTF style bootcamp.

Comments: As I mentioned I’m not sure the difficulty was really there when compared to the other days… it was certainly the calm before the storm!

Day Four (Exploiting Linux for Penetration Testers)

Day four was the day most people in class where looking forward to, and dreading at the same time. Linux exploitation… the start of the really technical stuff.

Kicking things off gently we covered a quick introduction to memory and Dynamic Linux Memory before getting stuck in to smashing the stack both with and without Linux OS protections (Stack Canaries, ASLR) in place.

The bootcamp was used to go back and try out some of the exploitation we’d covered during the day. Starting off with a bit of simple fuzzing to trigger the exploit, and working through a simple (yeah right) exploit.

Comments: This day made my head hurt… I’d have loved more time to play with the concepts and more labs, but you can only do so much in one day.

Day Five (Exploiting Windows for Penetration Testers)

Continuing on from where we left of on day four, we moved into exploitation on Windows platforms.

After a quick introduction on the differences between Linux and Windows platforms and executables, we moved into a lab heavy day using WarFTP for a majority of the exploit labs. Working through the day we covered basic exploitation , as well as bypassing DEP and discussed HEAP exploitation briefly (not full coverage). The day finished up with some shellcode basics and the bootcamp section.

Comments: And I thought the Linux day was hard! Even after running through all the labs I’m not sure I took everything in… Certainly one to look at again when I have time!

Day Six (Capture the Flag)

Day six, along with most of the SANS penetration testing classes, is a CTF style event. Although I can see the point of this, I’d have loved to dig more into some of the harder topics from days 4 and 5 instead of fumbling around in a CTF style day 6. Still, overall it was fun, and I’m sure our team would have done well if I’d not spent the whole time trying to exploit one of the Windows challenges (despite being warned that nobody ever does them).

Final Opinions

Overall I think I got a lot out of the class, even if I never will be one of the premier exploit developers. There was a number of points I can take and use in my testing, and that’s the real point isn’t it. If this stuff isn’t useful, then why bother!

Even though the class is not 100% exploit writing, I can see people who are interested in getting into this area being drawn to the SEC660 class. It’s a quick and wild ride, but a good grounding for further learning. If you expect to come out being the next HD Moore however, then you’d better think twice… this kind of thing take years of dedication and study to master… no 6 day class will ever offer that!

Even though programming knowledge isn’t needed for the class, I would highly recommend anybody looking to take the class to at least have some scripting experience. The LABS do include Python scripting, and although it’s nothing too technical, some experience with it really allows you to concentrate on the real goals of the class and not get distracted by Python syntax.

Considering this was the first run for SEC600, I think the class was very well put together. With a few tweak and alterations I can see SEC660 being a great extension to the SEC560 class.

You can download the audio of my chat to Stephen through the Eurotrash Security Podcast feed (iTunes | XML Feed) or directly from here.

Stephen Sims will also be giving a SANS@night presentation at SANS London discussing “Microsoft Patch Analysis and Exploitation”.

If you’re looking for more information about the course or have any additional questions please feel free to checkout the course overview here or contact Stephen Sims directly through email (stephen@deadlisting.com)

Note: The new SANS SEC:580 “Metasploit Kung Fu for Enterprise Pen Testing” will also be running at SANS London… look for a review of the SEC:660 and SEC:580 courses once the conference concludes.

Since then, the industry has been all about certification. New certs and classes have popped up all over the place. Just over 2 years later, and SANS have just released their new Advanced Penetration Testing, Exploits, and Ethical Hacking class (SEC660). Incorporating new techniques that build on the previous class. The new class will be given boot camp style (with evening sessions), to maximize the content.

SANS will be running the SEC660 class with Stephen Sims at the December SANS London event… Make sure to book early, if the SEC560 class is anything to go by, then this ones going to be popular!

Links :

• SANS - Security 660 – Advanced Penetration Testing, Exploits, and Ethical Hacking
• SANS London 2010

The class is very exercise heavy and although it kicks off with some required groundwork on packet structures and a quick review of things like hexadecimal and binary, the real strength of the course lies with it’s “learn by doing” style of teaching. From simple packet captures, through to finding network faults (retransmits, checksum failures, ..) and reconstructing traffic streams. Each lab builds on the knowledge of the previous one to really improve your knowledge.

As you’d expect from a 1-day course, the range of tools covered is slightly limited.

• tcpdump
• ngrep
• wireshark
• mergecap
• tcpflow

The real focus of the class was on the use of tcpdump and wireshark to perform more advanced tasks, such as extracting files from packet captures (file carving), BPF and in particular bitmask filters to finely tune packet captures.

Overall I really enjoyed the class, and love Johannes’ teaching style. As with everything though, you get out of the class what you put in. After 8 days of training I don’t think I really gave it my full attention, which is a shame. I’ll have to make sure to look over the books again in a quiet moment. After all, we all love packets, right ?

Interesting links from the course .:

What ever happened to IPv5 ? Checkout The Internet Stream Protocol–> RFC1819

TCP/IP and tcpdump Pocket Reference Guide (PDF)

http://filext.com/ –> reference of hex file headers for specific filetypes

The Internet Stream Protocol

One of the things I love to hear from students after teaching Security 401 is “I have worked in security for many years and after taking this course I realized how much I did not know.” With the latest version of Security Essentials and the Bootcamp, we have really captured the critical aspects of security and enhanced those topics with examples to drive home the key points. After attending Security 401, I am confident you will walk away with solutions to problems you have had for a while plus solutions to problems you did not even know you had.
- Eric Cole

Dr. Eric Cole on YouTube — Introducing Security Essentials

This class covers a lot of ground. I know the average SANS class is packed with juicy knowledge and tasty technical goodness, but the 401 class really crams it in. 11-12 Hours a day, and 6 days long. It’s not any easy task to take in everything, but Dr. Eric Cole is a great instructor, and really helps make things clear. As you’d expect from a class of this type, the content is wide-spreading and not as in-depth as some of the other SANS courses. Then again, this is what you’d expects from a course of this type. There’s no point in building a good foundation in 3 areas of the security landscape and skipping the rest. The 401 class covers the areas you need to know about without going too in-depth in any one thing. There’s plenty here for you to think about and it certainly gives you an idea of where your weak points are, and how to fill them in.

Day 1 – Networking Concepts

It’s hard to protect your network without knowing whats really going on on the wire. The first day of the 401 class was dedicated to understanding the fundamentals of networking, from the cable up. The information covered is just enough to really understand whats going on, without having to be a packet-monkey, or expert in routing protocols. Sure, there’s some exercises on decoding IP/TCP headers with pen and paper, but nothing that complex. As long as you can add up that is. It’s not rocket science after all Day 1 concluded with some virtualization and physical security modules. It was nice to see the physical security aspects covered where so many classes tend to skip over the topic.

Day 2 – Defense In-Depth

I’m a big fan of defense in-depth, and always try to drum it into clients when testing systems. After all, a single piece of equipment that stops all attacks is only good until you can find a bypass for it. When that happens, you’re completely exposed, unless you’re layering your defenses. Eric covered a lot of ground here in day 2. Malware, worms and trojans, alongside policy, password security and web-application attacks and defense. Again there’s just enough here to understand the basics without confusing people who’ve started the class with a clean slate. If you’re an old hand, there’s still information here to be had. Even though I’ve been through the 560, 542 and 709 classes, there still points that make me sit up and pay attention. Nobody knows everything after all.

Day 3 – Internet Security Technologies

Day 3 kicked off with discussion of attacks and hardening of systems. Coverage of IDS/IPS/HIDS and some great hints and tips about maximizing your firewall protection and layout. Even though most people know what a firewall does and how it works, people rarely consider the pros and cons of multiple firewalls, positioning and using packet, stateful and proxy filters to maximize the protection without overloading the systems. Discussion of signature based protections vs. Anomaly analysis (including the method of using clipping levels to improve identification of possibly suspicious traffic/behaviour). To give the students a hands-on experience with IDS, a short module on Snort (including writing a simple Snort rule) is included as the 3rd day draws to a close.

Day 4 – Secure Communications

After finishing up the risk analysis module from Day 3, we moved quickly into one of the sections of the class I was really looking forward to, encryption. Eric took the class from basics of cryptography (ROT-13, Caesar Cipher) through to a surprisingly easy to understand diagram on how Diffie-Hellmen Key Exchange really works. There was good coverage of data protection in-transit, at rest and the key points of key management issues. Moving away from cryptography toward mobile and wireless, we covered a range of different connection solutions. In particular, Bluetooth, 802.11, and ZigBee were covered in-depth. It was good to see the newer technologies such as ZigBee discussed even in the essentials class. To bring it home for day 4 we talked about VoIP and the increasing convergence of technology within the enterprise.

Day 5 – Windows Security

As with the other days, we kicked off day 4 with the final module of the previous day. In this case we talked about OPSEC (Operations Security). OPSEC is taking a step back from the technical and making sure that the appropriate risks are being addresses. It’s all about the Big Picture and protection of company information. Tracking and finding your companies weaknesses can also give you an idea where your competitors may have fallen short. To kickoff the Windows section of the class, we covered the basics of Windows Access Controls, patching and hot fixes, as well as the all important backup/restore of critical data. Of course no Windows security class would be complete without the extensive coverage of access permissions, rights and controls.

To tie in with the previous cryptography discussions we talked about EFS and Bitlocker and the pros/cons of using TPM (with USB token, PIN) to enforce boot integrity. Naturally we spent time looking at the technical side of security policies (GPOs, Security templates, …) and the issue of dealing with extensive security policies in large-scale Windows environments.  Finishing up we covered automation when it comes to securing and maintaining security of systems. It’s interesting to see Microsoft’s move to more command line based solutions. Give it another 10 -15 years and it’ll be just as good as Linux at the command line

Day 6 – Linux Security

Kicking things off for the last day, Eric went over the key differences and histories that make Linux and Windows such polar opposites. As you can imagine, a large part of the time today was spent discussing the intricacies of the*nix permissions system (including SUID, GUID and sticky bits). It was interesting to cover the usage of groups and the ability to assign passwords to specific groups using gpasswd. It was also good to get a quick overview of how PAM fits into the overall Linux authentication and user account management. pam_cracklib and pam_unix are something I’ll definitely be looking at more in the future. Finally I really get the permission system used in Linux. All it takes sometimes, is a simple down to earth explanation.

Jumping from permissions, we did a quick overview of the boot processes, run-levels and services. It’s great to hear little tips and tricks from people who work with this stuff on a daily basis. Things like the RC scripts. Newer systems (anything in the last 5 years) can handle 2 startup files with the same number (i.e. S08service and S08service2). Older systems would only run 1 of the services, and ignore the other. Certainly an important note when working on older *nix systems.

In the logging and monitoring section we covered a number of interesting log files. Of special interest to me (as a penetration tester), was the /var/run/btmp log file. If this file is present on a system, it contains information on failed logon attempts, with the attempted password listed in plaintext. Obviously this could be a great source of information if a user mis-types their password. At the very least, it’s a starting point for a brute-force of that account. At best, you have the users password and can start guessing what they mis-typed. As you’d expect a range of logging and centralised log management was discussed. After all, no talk on *nix logging would be complete without mentioning SYSLOG and SYSLOG-NG.

Winding up the class we touched on *nix patch management and enhancing the security of Linux. As you’d expect, we spent some time discussing APT and RPM based patching solutions, before moving into IPTables, TripWire and Bastille Linux.

It’s been an exhausting 6 days… but I feel like I’ve filled in a few gaps in my knowledge. I’ve especially enjoyed working with Dr Eric Cole and hearing about his take on various topics. Eric has a lot of knowledge to bring to the table, and I hope to attend another of his classes in the future.

Conclusion

There’s far too much information crammed into this class to really write about every topic covered. Then again, that’s not the point of this review. I’ve covered the key points we discussed, and hope it gives a good overview for people looking at taking this class in the future. I would say however, that SANS updates the classes on a regular basis. So your mileage may vary

I stand by my earlier comments that the security essentials class gives a good foundation. However, I would append a small note. If you’re already an experienced InfoSec person, then there will be times when you’re required to review things you already know. This isn’t a bad thing, as there’s always a few points that are worth reviewing, or described from a different standpoint. When looking purely at the content of the course and the method/style of delivery, I would highly recommend this class as the place to start when it comes to moving into InfoSec. The broad level of knowledge is both theoretical and technical, yet not too in-depth too get sidetracked into a single topic for too long. If you’re already working in InfoSec, then checkout the assessment test below to see what your level of knowledge is.

If you want to test yourself and see where the gaps in your knowledge are, you can use the SANS Security Essentials assessment Test to see how you score.

DEV319 / SEC319 – Intro to Web Application Security

If you’re new to security, finding a place to start can be a real problem. Diving straight into a class covering the deepest darkest secrets of SQL Injection or Cross-Site Scripting isn’t always going to be your best option. The “baptism by fire” approach isn’t for everyone after all. To make a move from systems administration or development that little bit easier, SANS have put together the SEC/DEV319 class to give an introduction to web application security. Don’t misunderstand, this isn’t a 2 day class that glosses over the problems and contains no real meat. The topics covered are in-depth, well explained and looked at in a hands-on approach. The labs are brief due to the tight timescales and amount of information to cover, however they come in at the right time and help to reinforce the content well.

The topics covered are varied and give a good foundation to build on. Obviously no 2 day class can cover everything, but SANS certainly try and cram a lot into a short timescale .:

• Securing Web Application Architectures and Infrastructures
• Cryptography
• Authentication
• Access Control
• Session Mechanism
• Web Application Logging
• Input Issues and Validation
• SQL Injection
• Cross-Site Scripting
• Phishing
• HTTP Response Splitting
• Cross-Site Request Forgery

Also not on the list, but equally important are discussions on logging (what, why, how, legal requirements, …), Phishing mitigation (discovery, defense, tarcking, ..)  and specific information on credit card processing issues (handling of data transfer, CCV/CCV2 numbers , AVS, …). These might not be the most glamorous topics, but for security, they’re just as important as the more technical attacks, like XSS, CSRF, etc…

This class is aimed at developers, QA analysts, and infrastructure security professionals. With that said it offers a great deal of information for anybody who wants to secure web applications. The class is taken from a developer and attacker standpoint, showing how to check for errors and how attackers would take advantage of them. I’m not sure this works as well as people think for developers, but it seems to be the way things are taught currently. One thing to consider if you’re coming at this class from a pure developement background, is the longer langauge specific classes like DEV541 (Secure Coding in Java/JEE: Developing Defensible Applications). These are taken more from a developer standpoint and go deeper into not only the cause of the flaws, but also the underlying code that causes and fixes the issues.

Conclusion:

If you’re a developer or network support technician looking for a good introductory class to web application attack and defence, then this is certainly a great place to start. It will help you hit the ground running with some good knowledge on how things work (from the HTTP protocol  up). Even though this class is a 300 level* course, the content isn’t basic by any means. There’s something here for everybody.

* “When selecting the courses that you wish to take, keep in mind that the course numbers indicate relative degree of difficulty. Thus 300-level courses are intended for students who are new to security and have no experience; 400-level courses are intended for students with some experience; 500-level courses are intended for students who are seasoned security professionals; 600- and 700-level courses are the most advanced. The levels are not determined by how much hands-on or technical work is involved in the course, but rather by the overall difficulty of that course in comparison to others in the same discipline. Within any given level, course numbers do not indicate level of difficulty. SEC589, for example, should not be any more difficult than SEC571.“ – SANS Brochure

Unlike recent courses, which have been very specialist, I’m going “back to basics” in a way, and attending the Security Essentials class (SEC401). I’m hoping to fill in a few gaps in my knowledge and cover some more management style topics. I’m not really the management type (I’m not good at politics), but anything that can help to improve the way I work, think and explain things to the C-level is a good thing in my book. I’ll also try to sit in on the DEV319 class prior to the main part of the conference. I’m not a developer, but I’m interested to see how SANS is going about training developers for secure coding. After all, this is where we seem to be failing at the moment, at least in my opinion.

If you’re attending the conference make sure to come over and say hi. I’ll be one of the facilitators, so I get to wear the nice red apron. Still, you can’t have everything can you

John Strand from the Pauldotcom crew will be running a capture the flag evening at the conference, so even if you’re not attending a course, pop down and say hi. There are also a number of other interesting SANS@night events if CTF isn’t your thing.

For a little history on this, I first attended the 4-day version of the SEC-542 back in December last year. The course was good, and I wrote about the contents on the blog (day-1, day-2 ,day-3. day-4). The 6-day version of the class has incorporated a number of welcome additions and helps the course really grow. I always felt that the 4-day version lacked a certain something, and the new version really fills the gaps with new sections on Flash, WebServices (WSDL, UDDI, SOAP…) and nice coverage of Python, JavaScript and PHP for Penetration Testers. The last day is also now a Capture the Flag event which will really help to solidify the knowledge and let people get a hands-on approach to testing.

I can’t finish this post without saying a little something about the OnDemand program. The new OnDemand system is certainly a step in the right direction. As SEC-542 is one of the first on the BETA OnDemand it lacks the additional links that will come with maturity. I think that the OnDemand option of training has become more of an option than previously. The support you get is also great, especially as Kevin is very approachable. If all else fails you can shoot me an email and I’ll see if I can help. Hopefully this will be the class I’ll be Mentoring in Vienna next year (given the chance).

Overall I’d give the class 95/100 –> There’s room for some additional coverage of things like JBoss, Coldfusion and Tomcat. Still you can’t fit everything into 6 days I can’t wait for SEC-642, for some advanced WebApp fu.

GWAPT Certified Professionals –> LISTING

GWAPT Exam Coverage –> Coverage