Application Security Testing and Training? 13
slashDoug asks: "I am a career tester that now has an opportunity to bring application security testing in-house in the form of training. We have a network team that already does network, penetration testing and hardware hacking to keep our web infrastructure and sites secure, but I am interested in focusing on the security flaws of our designed web applications. I have read through a couple books on the subject which have different insights ('How to Break Software Security' by James Whittaker, and 'Writing Secure Code' by Howard and LeBlanc) and would like to bring that kind of knowledge to the other testers in my group. Does anyone have any recommendations on training groups that I could bring in-house to train a team of software testers? Your thoughts and recommendations are greatly appreciated!"
OWASP, Matching the training to the individual (Score:4, Interesting)
The important thing is to target any training so that it matches the background of those being trained. I have done work with with IT Audit groups and they wanted to learn how to do application security assessments themselves. Given their background this simply was not in the cards so we instead focused their attention on how to audit the assessment process to make sure that tools were being used properly and the outcomes of the assessments was being addressed by the development teams. Training for network security folks can include how to run scanning tools and interpret the results, as well as how to do some manual testing of their own. Developers can obviously learn about the assessment process, but will ultimately need training on how to design and code secure systems. In any case, the important thing is to match the training being given with the job responsibilities and capabilities of those being trained.
As for groups that do this sort of training, obviously I am biased, but my company Denim Group http://www.denimgroup.com/ [denimgroup.com] does application security security training for developers, auditors, QA and network security folks. McAfee and Symantec offer courses as well.
Thanks,
Dan
Re:OWASP, Matching the training to the individual (Score:1, Insightful)
Re:OWASP, Matching the training to the individual (Score:2)
Re:OWASP, Matching the training to the individual (Score:1)
--Dan
Re:OWASP, Matching the training to the individual (Score:1)
Re:How quaint (Score:1)
Career tester? (Score:4, Funny)
Re:Career tester? (Score:2)
No! (Score:2)
Training from real experts in software security (Score:2)
Secure coding classes, not testing but... (Score:3, Informative)
SANS [sans.org], a well-respected hands-on security training organization, has several courses [sans.org] on application-level security - Securing Oracle, Web Application Security Workshop, Secure Internet Presence LAMP, and .Net Security among them. These are aimed at programmers, not testers, but would be beneficial to anyone doing code audits and blackbox testing of applications.
Not quite what you asked for, but maybe something you'll want to look into.