In-depth Assessment Techniques: Design, Code, and Runtime

Track Name	:	In-depth Assessment Techniques: Design, Code, and Runtime
Track ID	:	SB1DIAT
Instructor	:	Pravir Chandra
CPE Credits	:	7 CPE’s
Duration	:	1 Day
Date	:	November 20th, 2009 (9 AM – 6 PM)

Who should attend?

Anyone who is interested in advancing their software assessment skills
Security Architects & Consultants wanting to learn advanced secure design concepts
Team leads and developers interested in learning more about Design reviews, code reviews and
Runtime code analysis
Penetration Testers and security testers

Class Pre-requisite:

Architects and developers.
Prior experience in Penetration testing or software security assessment preferred.

Class Requirement:

No laptop required.

Course Overview

This tutorial is targeted at those wanting to enhance their software assessment skills. Specifically, the tutorial teaches attendees techniques for design analysis, code review, and penetration testing that uncovers a wide variety of vulnerabilities and weaknesses in applications. If you have pre-existing skills and want to learn more than this course is perfect. The tutorial will generally focus on web applications, but most information applies to software of any type. In addition, attendees will learn general methods for protecting against the security issues uncovered by each assessment technique. The tutorial topics include:

System decomposition for analysis
Lightweight threat/risk modeling
Identifying interfaces/attack surface
Testing business logic and edge cases
Assessing for provision of security mechanisms
Assessing for key vulnerability classes
Risk classification and weighting
Root cause analysis and patching

The tutorial has a primary focus on intermediate/advanced assessment and testing concepts for architects and developers. Automated security assessment tools will be discussed in context, but not demoed.