Greetings security professionals:

As SecurityFocus is the "Official Security Portal" for the Blackhat Security
Briefings, I thought the following information may be of interest to some of
the list membership.

In addition to my "Web Vulnerably and SQL Injection Countermeasures" Deep
Knowledge session at the upcoming Blackhat 2001 in Amsterdam, I will be
leading a new training session regarding the "Secure Development of
Data-Driven Web Applications." A brief description of this course follows:

<snip>
Deploying a poorly designed web application can be like propping open the
Front Door into your network infrastructure. The vulnerabilities introduced
by these design flaws can be exploited with different techniques of SQL
injection, URL manipulation, error/debug code analysis, and other insidious
methods.

Since detection of these attack modes can be difficult (or sometimes
impossible when made over secure channels), it not only important to learn
how these attacks are structured, but one must learn how to build an
application
whose very structure mitigates the impact these techniques can have.

In contrast to many Blackhat sessions flavored toward the "exploit" side of
things, this session will concentrate on the techniques and methods used to
protect your network from these types of vulnerabilities, and "best
practices" to follow when developing your data-driven applications.

With content specific to Microsoft IIS5 and SQL2000 utilizing ASP and ADODB,
this course will provide an overview of a typical application's lifespan
from the design and planning stage, through to its production and
deployment.

The course will be broken into two main areas of study: Development and
Implementation.

Development:
During the development phase, we will cover the following:
1) Web Form Design
2) User Input Validation and Sterilization
3) SQL query string construction
4) Data object instantiation
5) Parameter typing and passing
6) SQL database design
7) Stored procedure design and execution

Implementation:
Implementation will cover the following specific technologies:
1) Microsoft IIS5 server configuration and hardening
2) Microsoft SQL2000 server configuration and hardening
3) SQL mixed mode authentication and pitfalls
4) SQL Integrated mode, user/group structure, and procedure permissions
5) Real-world deployments, vulnerabilities, and considerations

</snip>

Time permitting, we will take a look at IIS6 running on Whistler and some of
the new functions and features available therein.

Other training courses regarding various technologies are also available
from noted security professionals such as Ofir Arkin, JD Glaser,
Foundstone's Erik Birkholz, Rooster, and the incomparable Halvar Flake.

Interested parties are encouraged to visit
http://www.blackhat.com/html/bh-europe-01/training-europe-01-index.html
(may be wrapped) for more information on the classes, schedules, and costs.

Information on the Blackhat general sessions may be found at
http://www.blackhat.com/html/bh-europe-01/bh-europe-01-index.html

Thank you for your time and consideration.

* This email is intended to deliver what I consider to be pertinent security
information. My apologies to anyone who may not deem this list as an
appropriate venue for commercial information.*

Cheers,
---------------------------------
Attonbitus Deus
rm -rf /bin/laden

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]