Wep Appsec: Education

Bl8ckr0uter

I didn't know whether to put this in the security section or here so mods, feel free to move it if you wish. Have any of you taken any formal classes on (web) application security? I have been poking around and besides the GWAPT (and the class) the only other thing I could find was this:
So You Wanna Be A Web App Pentester | Learn Security Online

I know the elearnsecurity class also has some web appsec modules as well:
eLearnSecurity : Penetration testing and IT Security courses

I am not sure about Backtrack, as it seems more application based but I will list it just to save someone else the trouble:
Penetration Testing Training with BackTrack

I am just curious if A: Anyone does this type of work, B: Anyone has taken any of the listed courses or courses revelant but not listed and has suggestions for or against any of the classes.

Also I use Web Appsec somewhat loosely. I also mean Web Services and Database Attacks as well.

NetworkingStudent

I signed up to get emails from a security group called Secure 360 and I stumbled on this conference. The meeting was for a group called The Open Web Application Security Project (OWASP). I went to the conference, because it was pretty cheap and there were a lot of security topics covered. You might be interested in this group. I found out the after the conference that the membership was free, but you could donate money if you wanted to. There were all kinds of presentations there too. Some on cell phone security, some on pen testing, and even some on secure passwords. Very interesting conference… check out their homepage. I think they have chapters in every state. Most chapters have meetings weekly as far as I know.
OWASP

Bl8ckr0uter

Thanks for the reply. I know of the OWASP. I actually have their testing guide downloaded as an additional reference for web application security. I plan on going to the next OWASP chapter meeting in a few weeks. How did you like it?

GAngel

Before you did any of that you'd probably want to have a good understanding of sql commands. I love the learn T-sql in 10 minutes book.

A bit of programming knowledge doesn't hurt either so you can follow why something is happening and can get creative if needed. I like python myself but they're all pretty similar when it comes to following what they're doing.

Bl8ckr0uter

I picked this up as well:

Amazon.com: Beginning T-SQL with Microsoft SQL Server 2005 and 2008 (Wrox Programmer to Programmer) (9780470257036): Paul Turley, Dan Wood: Books

It is becoming more and more apparent I really need to learn SQL lol

dynamik

If you want a cert to make your resume pop, check out the GWAPT. I've heard it's good overall, but it lacks the depth you'd expect.

If you just want to learn, pick up the Web Application Hacker's Handbook and the recently released Hacking Exposed: Web Applications (3rd).

Both the LSO and eLearn courses are fantastic, btw.

Bl8ckr0uter

dynamik wrote: »

If you want a cert to make your resume pop, check out the GWAPT. I've heard it's good overall, but it lacks the depth you'd expect.

If you just want to learn, pick up the Web Application Hacker's Handbook and the recently released Hacking Exposed: Web Applications (3rd).

Both the LSO and eLearn courses are fantastic, btw.

Hey Buddy! So you are finally done with those college courses huh?

I picked up the Web App Hackers Handbook and I am making my way through it. I actually read a thread about the GWAPT on ethical hacker (which you either started on answered). It looks like a good cert. I thought the GWAPT was pretty indepth? I read where people were saying that it was harder than the GPEN...

As far as elearn and LSO, I am positive I am going for elearn. I was on the fence about LSO. It was cheap but there was hardly no information about it. I might go ahead and go for that course as well. Thanks for the suggestion about the Hacking Exposed book. I'll pick that one up after I am done with Web App hackers handbook.

NightShade03

The Web Application Hacker's Handbook is great I have read it a couple of times.

I haven't taken either course but I here good things about both. The GWAPT looks pretty good from the course outline, but I hate that the SANS courses are so expensive.

I'm actually working on a WebApp Sec course myself @ the moment. I'll let you beta test when I'm done if you'd like

Also check out DVWA as you can apply many lessons you've learned so far through the use of the LiveCD.

Bl8ckr0uter

I'm actually going to work on dvwa tonight. There is another one out there as well but I can't remember the name of it.

And hell yea I'd like to beta test it. Have either of you read web app security testing cookbook? I have it but I have only barely cracked it

NightShade03

The cookbook is fairly good...a bit dated though.

There are many others besides DVWA including, LabRat (OWASP live CD), mutillidae, Moth, and WebGoat.

Bl8ckr0uter

Which ones would you suggest?

Bl8ckr0uter

Also what would you guys suggest for a gwapt challenge?

dynamik

Bl8ckr0uter wrote: »

Hey Buddy! So you are finally done with those college courses huh?

Nope. I got a new job too. I have less time than ever.

Bl8ckr0uter wrote: »

It looks like a good cert. I thought the GWAPT was pretty indepth? I read where people were saying that it was harder than the GPEN...

I'm not saying it's bad (it's actually quite good). I just know some relatively experienced web app guys that wished it would have been more in-depth. I suppose it's all relative to your experience though. I burned through the GPEN exam in an hour with no resources, and I know others that are too scared to take it even after attending the course, doing the practice exams, and having the materials.

People's experiences and attitudes towards the SANS/GIAC stuff is all over the place. Everyone's experience will be unique (but I think it goes without saying that it's going to be a positive, challenging experience overall).

GWAPT requires a decent amount of programming knowledge, and I hear it's pretty heavy on Python. That's just the nature of web applications. Some of the guys I used to work with struggled even though they understood the concepts and tools.

I think it's a fair assessment to say that the exam is more difficult than the GPEN for the average person (granted, I haven't taken both). Although, that may simply be because people are more familiar with networking concepts than they are with web development. Everything is relative to what you currently know. However, I am writing questions for the GPEN now, so that might get a bit more difficult as those get added to the pool

Bl8ckr0uter wrote: »

As far as elearn and LSO, I am positive I am going for elearn. I was on the fence about LSO. It was cheap but there was hardly no information about it. I might go ahead and go for that course as well. Thanks for the suggestion about the Hacking Exposed book. I'll pick that one up after I am done with Web App hackers handbook.

Joe McCray is a beast. I don't think you'd regret getting anything from LSO.

Bl8ckr0uter wrote: »

Also what would you guys suggest for a gwapt challenge?

All the books and live CDs we mentioned. Go to the course page and review the day-by-day breakdown and review all those items. The OWASP guide is great, and the practice tests (you get two with a challenge, but can purchase more) should identify any other areas where you are deficient.