G O S S I P G r o u p O f S y s t e m s S e c u r i t y I n t e g r a t i n g P r o f e s s i o n a l

Page 1
Certified Application Security Professional (CASP)
Application vulnerabilities continue to top the list of cyber security concerns. While attackers and researchers
continue to expose new application vulnerabilities, the most common application flaws are previous,
rediscovered threats. This high volume of known application vulnerabilities suggests that many development
teams do not have the security resources needed to address all potential security flaws and a clear shortage of
qualified professionals with application security skills exists. Without action, this soft underbelly of business and
governmental entities has and will continue to be exposed with serious consequencesdata breaches,
disrupted operations, lost business, brand damage, and regulatory fines. This is why it is essential for software
professionals to stay current on the latest advances in software development and the new security threats they
create.
Objectives of the course:

The course is focused on a comprehensive coverage of web and all application security. It will present security
guidelines and considerations in web applications development. The participants will learn the basics of
application security, how to enforce security on a web application, Basics of Threat Modeling, Threat Profiling,
OWASP Top Ten Testing, and Penetration Testing of applications.

Upon completion of this course, participants will be able to:
Understand the need for security
Understand the various security threats and countermeasures
Design and Develop secured web applications
Who should attend this training?

All web app developers, QA / testers, designers who wish to improve their security skills
Developers and System Architects wishing to improve their security skills and awareness
Software Development Team Leaders and Project Managers
Security practitioners and managers
Application Security Testers & Auditors
Anyone interested in techniques for securing Web applications
QA analysts who want to learn the mechanics of Web applications for better testing
Why should you attend this training?
Validate your expertise in application security.
Conquer application vulnerabilities offering more value to your employer.
Demonstrate a working knowledge of application security.
Differentiate and enhance your credibility and marketability on a worldwide scale.
A CASP certified professional helps the employer
Break the penetrate and patch test approach.
Reduce production cost, vulnerabilities and delivery delays.
Enhance the credibility of your organization and its development team.
Reduce loss of revenue and reputation due to a breach resulting from insecure software.
Ensure compliance with government or industry regulations.

Course Fee: INR 20,000 + Tax
Date: 15
th
to 17
th
August 2014
Just carry your laptop for the session


G O S S I P G r o u p O f S y s t e m s S e c u r i t y I n t e g r a t i n g P r o f e s s i o n a l

Page 2
Course Contents

Web Application Assessment
OWASP Top 10 Vulnerabilities
Threat Modelling Principle
Site Mapping & Web Crawling
Server & Application Fingerprinting
Identifying the entry points
Page enumeration and brute forcing
Looking for leftovers and backup files
Authentication vulnerabilities
Authentication scenarios
User enumeration
Guessing passwords - Brute force & Dictionary
attacks
Default users/passwords
Weak password policy
Direct page requests
Parameter modification
Password flaws
Locking out users
Lack of SSL at login pages
Bypassing weak CAPTCHA mechanisms
Login without SSL
Authorization vulnerabilities
Role-based access control (RBAC)
Authorization bypassing
Parameter tampering
Forceful browsing
Rendering based Authorization
Client side validation attacks
Insecure direct object reference
Insecure file handling
Path traversal
Canonicalization
Uploaded files backdoors
Insecure file extension handling
Directory listing
File size
File type
Malware upload
Improper Input Validation & Injection vulnerabilities
Input validation techniques
Blacklist VS. Whitelist input validation bypassing
Encoding attacks
Directory traversal
Command injection
Code injection
HTTP response splitting
Log injection
XML injection - XPath Injection | Malicious files |
XML Entity bomb
LDAP Injection
SQL injection
Common implementation mistakes - authentication
bypassing using SQL Injection
Cross Site Scripting (XSS)
Reflected VS. Stored XSS
Special chars - & < >, empty
Session & browser manipulation attacks
Session management techniques
Cookie based session management
Cookie properties
Cookies - secrets in cookies, tampering
Exposed session variables
Missing Attributes httpOnly, secure
Session validity after logoff
Long session timeout
Session keep alive enable/disable
Session id rotation
Session Fixation
Cross Site Request Forgery (CSRF) - URL Encoding,
Path Traversal
Open redirect
SQL Injection to Root
LFI and RFI
Metasploit Framework
Lots of hands on practical exposure



G O S S I P G r o u p O f S y s t e m s S e c u r i t y I n t e g r a t i n g P r o f e s s i o n a l

Page 3
Trainers profile Pranab Jyoti Roy
Pranab is an M.Sc in CS and has been involved in Application security, Network Penetration testing,
Configuration audits and Mobile application pen-testing for few years now. Pranab has successfully completed
projects in web and mobile application penetration testing. He has major expertise in Network/Application
penetration testing, conducted Internal and external penetration testing and well versed with Security
Assessment and methodologies like OWASP, OSSTMM. Pranab also have experience in Programming, Testing,
good knowledge of Shell & Python scripting, networking, TCP/IP, database and operating systems all Microsoft
Windows (Family) and expertise in Backtrack and Kali-Linux. He has automated lot of process using python and
have experience in exploit writing. He possess good communication and interpersonal skills and have completed
25-30 successful batches for CEH, application Security(OWASP) and Advance Hacking.

Experience & Expertise
o Web Application Security Tools: Burp suite, Nikto, Tamper Data, SQLMap, Paros Proxy, Webscarab,
Wireshark, WinHex, Echo-Mirage, THCSSL Check.
Vulnerability Scanners: Nessus, OpenVAS, Qualys Guard, Nmap.
Penetration Testing Tools: w3af,IronWASP,Metasploit, Hydra, Netcat, Cain&Abel, OllyDBG, OWASP CSRF
tester, gerix
Network Devices Testing Tools: Cain & Abel, MBSA.
Programming Languages : C, C++, java script, python scripting
Distros: Windows, Linux, Backtrack, Kali-Linux
General : Good Knowledge of Networks, switches, routers, Operating Systems, Various security tools.
Application Security
o Well versed with OWASP Top Ten and WASC Threat Classifications
o Expertise in Vulnerability Assessment and Penetration Testing of Web Applications
Network Security
o Good knowledge of TCP/IP fundamentals
o Expertise in security for Operating Systems, Databases, and Web Servers
Databases: MS SQL Server, Oracle, My SQL
Servers: FTP, DHCP, Web Servers(IIS, Apache), Domain Controller
Wireless Security
o Cracking WEP, WPA, WPA2 encryption
o Penetrating WPS
Forensics
o Disk Imaging with Encase, FTK
o Forensics with Open source Tools
o Web Server Log Review
o Email Address Tracking
o File Recovery
o Memory Forensics
Penetration Testing 2.0
o Untraditional Social Engineering Attacks
o Client-side Attacks
o Business Logic Tests