Greetings security professionals: As SecurityFocus is the "Official Security Portal" for the Blackhat Security Briefings, I thought the following information may be of interest to some of the list membership. In addition to my "Web Vulnerably and SQL Injection Countermeasures" Deep Knowledge session at the upcoming Blackhat 2001 in Amsterdam, I will be leading a new training session regarding the "Secure Development of Data-Driven Web Applications." A brief description of this course follows: <snip> Deploying a poorly designed web application can be like propping open the Front Door into your network infrastructure. The vulnerabilities introduced by these design flaws can be exploited with different techniques of SQL injection, URL manipulation, error/debug code analysis, and other insidious methods. Since detection of these attack modes can be difficult (or sometimes impossible when made over secure channels), it not only important to learn how these attacks are structured, but one must learn how to build an application whose very structure mitigates the impact these techniques can have. In contrast to many Blackhat sessions flavored toward the "exploit" side of things, this session will concentrate on the techniques and methods used to protect your network from these types of vulnerabilities, and "best practices" to follow when developing your data-driven applications. With content specific to Microsoft IIS5 and SQL2000 utilizing ASP and ADODB, this course will provide an overview of a typical application's lifespan from the design and planning stage, through to its production and deployment. The course will be broken into two main areas of study: Development and Implementation. Development: During the development phase, we will cover the following: 1) Web Form Design 2) User Input Validation and Sterilization 3) SQL query string construction 4) Data object instantiation 5) Parameter typing and passing 6) SQL database design 7) Stored procedure design and execution Implementation: Implementation will cover the following specific technologies: 1) Microsoft IIS5 server configuration and hardening 2) Microsoft SQL2000 server configuration and hardening 3) SQL mixed mode authentication and pitfalls 4) SQL Integrated mode, user/group structure, and procedure permissions 5) Real-world deployments, vulnerabilities, and considerations </snip> Time permitting, we will take a look at IIS6 running on Whistler and some of the new functions and features available therein. Other training courses regarding various technologies are also available from noted security professionals such as Ofir Arkin, JD Glaser, Foundstone's Erik Birkholz, Rooster, and the incomparable Halvar Flake. Interested parties are encouraged to visit http://www.blackhat.com/html/bh-europe-01/training-europe-01-index.html (may be wrapped) for more information on the classes, schedules, and costs. Information on the Blackhat general sessions may be found at http://www.blackhat.com/html/bh-europe-01/bh-europe-01-index.html Thank you for your time and consideration. * This email is intended to deliver what I consider to be pertinent security information. My apologies to anyone who may not deem this list as an appropriate venue for commercial information.* Cheers, --------------------------------- Attonbitus Deus rm -rf /bin/laden
This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 11:46:26 PDT