O'Reilly European Open Source Convention - 17-20 October, 2005

Tutorial
Open Source Web Application Security Kung-Fu & Art of Defense
Shreeraj Shah, Founder and Director, Net Square Solutions Pvt. Ltd.

Date: Monday, 17 October 2005
Time: 8:30 - 12:00
Location: Foyer Room
Web application attacks are growing at rapid rate in last five years. Many innovative ways of breaking systems have come into existence. Web applications are even more vulnerable since they cannot be protected by firewalls and become easy prey for attackers. Next generation web application attacks have arrived and are here to stay. These attacks are targeted towards vulnerable and poorly written web applications.
Web application defense strategies require secure coding at application level, knowing your applications, and protecting them by human intelligence. To perform these tasks one needs some tools and techniques. There are tools out there in open source domain which you can use. Knowing your application can lead to profiling your web assets in logical way. Profiling web assets provides a better picture of various possible attacks set. Knowing entire attack set greatly helps in designing and implementing defense strategies. This presentation will cover attacks in depth with live demonstrations and several open source tools.
Web application assessment and defense can be done using several different open source tools such as crawlers, footprinting utilities, assessment modules, nessus, paros etc. These tools can help in attacking web application and identifying vulnerabilities and loopholes in the system. At the same time one can use open source application layer firewall like mod_security to defend their applications.