Prior to the 6-day classes starting at SANS London 2009, I had the chance to sit in on the 2-day DEV319 class (run by Johannes Ullrich) to see what the class was all about. As I’ve said over and over again, I love learning, and I can’t say no when somebody offers me a chance to sit in on a class, even if it is something I’ve already covered in my recent GWAPT course. Once thing I like about the classes from SANS is the instructors. Unlike some companies, the people teaching the class really do this for a living. They’re not just standing there reading the slides and nothing more. Johannes really know his stuff when it comes to web applications. There is so much knowledge there to be gained just by asking questions and discussing solutions. This is the real essence of learning in my opinion. Sitting at the back of the class can only get you so far. So next time you’re at a class make sure you ask some questions. You will be surprised what you can learn just be asking.
If you’re new to security, finding a place to start can be a real problem. Diving straight into a class covering the deepest darkest secrets of SQL Injection or Cross-Site Scripting isn’t always going to be your best option. The “baptism by fire” approach isn’t for everyone after all. To make a move from systems administration or development that little bit easier, SANS have put together the SEC/DEV319 class to give an introduction to web application security. Don’t misunderstand, this isn’t a 2 day class that glosses over the problems and contains no real meat. The topics covered are in-depth, well explained and looked at in a hands-on approach. The labs are brief due to the tight timescales and amount of information to cover, however they come in at the right time and help to reinforce the content well.
The topics covered are varied and give a good foundation to build on. Obviously no 2 day class can cover everything, but SANS certainly try and cram a lot into a short timescale .:
- Securing Web Application Architectures and Infrastructures
- Access Control
- Session Mechanism
- Web Application Logging
- Input Issues and Validation
- SQL Injection
- Cross-Site Scripting
- HTTP Response Splitting
- Cross-Site Request Forgery
Also not on the list, but equally important are discussions on logging (what, why, how, legal requirements, …), Phishing mitigation (discovery, defense, tarcking, ..) and specific information on credit card processing issues (handling of data transfer, CCV/CCV2 numbers , AVS, …). These might not be the most glamorous topics, but for security, they’re just as important as the more technical attacks, like XSS, CSRF, etc…
This class is aimed at developers, QA analysts, and infrastructure security professionals. With that said it offers a great deal of information for anybody who wants to secure web applications. The class is taken from a developer and attacker standpoint, showing how to check for errors and how attackers would take advantage of them. I’m not sure this works as well as people think for developers, but it seems to be the way things are taught currently. One thing to consider if you’re coming at this class from a pure developement background, is the longer langauge specific classes like DEV541 (Secure Coding in Java/JEE: Developing Defensible Applications). These are taken more from a developer standpoint and go deeper into not only the cause of the flaws, but also the underlying code that causes and fixes the issues.
If you’re a developer or network support technician looking for a good introductory class to web application attack and defence, then this is certainly a great place to start. It will help you hit the ground running with some good knowledge on how things work (from the HTTP protocol up). Even though this class is a 300 level* course, the content isn’t basic by any means. There’s something here for everybody.
* “When selecting the courses that you wish to take, keep in mind that the course numbers indicate relative degree of difficulty. Thus 300-level courses are intended for students who are new to security and have no experience; 400-level courses are intended for students with some experience; 500-level courses are intended for students who are seasoned security professionals; 600- and 700-level courses are the most advanced. The levels are not determined by how much hands-on or technical work is involved in the course, but rather by the overall difficulty of that course in comparison to others in the same discipline. Within any given level, course numbers do not indicate level of difficulty. SEC589, for example, should not be any more difficult than SEC571.“ – SANS Brochure