Application Security Testing and Training?

slashDoug asks: "I am a career tester that now has an opportunity to bring application security testing in-house in the form of training. We have a network team that already does network, penetration testing and hardware hacking to keep our web infrastructure and sites secure, but I am interested in focusing on the security flaws of our designed web applications. I have read through a couple books on the subject which have different insights ('How to Break Software Security' by James Whittaker, and 'Writing Secure Code' by Howard and LeBlanc) and would like to bring that kind of knowledge to the other testers in my group. Does anyone have any recommendations on training groups that I could bring in-house to train a team of software testers? Your thoughts and recommendations are greatly appreciated!"

OWASP, Matching the training to the individual

[dancornell]

For background information I highly recommend the Open Web Application Security Project http://www.owasp.org/ [owasp.org] There are local chapters all over the world that should have regular meetings - I help run the San Antonio chapter.

The important thing is to target any training so that it matches the background of those being trained. I have done work with with IT Audit groups and they wanted to learn how to do application security assessments themselves. Given their background this simply was not in the cards so we instead focused their attention on how to audit the assessment process to make sure that tools were being used properly and the outcomes of the assessments was being addressed by the development teams. Training for network security folks can include how to run scanning tools and interpret the results, as well as how to do some manual testing of their own. Developers can obviously learn about the assessment process, but will ultimately need training on how to design and code secure systems. In any case, the important thing is to match the training being given with the job responsibilities and capabilities of those being trained.

As for groups that do this sort of training, obviously I am biased, but my company Denim Group http://www.denimgroup.com/ [denimgroup.com] does application security security training for developers, auditors, QA and network security folks. McAfee and Symantec offer courses as well.

Thanks,

Dan

Re:OWASP, Matching the training to the individual

[Anonymous Coward]

Just a follow-up on the OWASP stuff -- going through webgoat might be an interesting exercise. It's a hands-on approach to how web security might be compromised by more malicious types. You're probably more advanced than any of the stuff but if nothing else, it's a good refresher course to reinforce what you've learned.

Re:OWASP, Matching the training to the individual

[licamell]

Man, I hope your company isn't paying hosting by bandwidth... or your bosses might be a little upset about how you just slashdotted your own page. I guess that's the price of "Free" advertising on slashdot.

Re:OWASP, Matching the training to the individual

[dancornell]

Site is up. Apparently the service provider who provides our DNS is being DDoS'd right now. Super...

--Dan

Re:OWASP, Matching the training to the individual

[charlesnw]

They obviously didn't use your services. Just kidding :)

Re:How quaint

[Profane MuthaFucka]

That's not offtopic. I am commenting SPECIFICALLY on the article.

Career tester?

[nekoniku]

I'd like to be a career tester! First I'd like to test being a lion tamer! Then maybe a fighter pilot...

Re:Career tester?

[plover]

Maybe you don't want to go straight into testing Lion Taming. Perhaps you should work at it by testing careers in steps, say, via Banking.

No!

[XanC]

No, I don't want to wait! At nine o'clock tomorrow I want to be in there, taming!

Training from real experts in software security

[thedletterman]

Unfortunately for you, most of the real experts in software security are currently facing jail time. [cdfreaks.com]

Secure coding classes, not testing but...

[bourne]

SANS [sans.org], a well-respected hands-on security training organization, has several courses [sans.org] on application-level security - Securing Oracle, Web Application Security Workshop, Secure Internet Presence LAMP, and .Net Security among them. These are aimed at programmers, not testers, but would be beneficial to anyone doing code audits and blackbox testing of applications.

Not quite what you asked for, but maybe something you'll want to look into.