16

I am trying to establish an application security group within an organization and although there is a plethora of courses for penetration testers, i fail to find an equal amount of training courses for developers / QA testers

The team i work with is very capable when it comes to its core functions (development, testing, testing automation) but have very limited exposure to application security - very basic knowledge of the OWASP Top 10

I looked on the Internet for courses to help them build their knowledge, and so far i have found 2-3 courses from SANS and a training bundle from Aspect Security. I haven't tried any of these yet, since i wanted to get some opinions before we commit

The ideal course(s) should contain:

  • An introduction, ideally based on the OWASP Top 10
  • Defensive techniques, ideally presented as a framework (e.g. OWASP ESAPI)
  • Security testing, oriented towards QA testers who like to automate vs manual penetration testing
  • Application of WAFs (for virtual patching)

Do you know of any course bundle that can provide me with this content, or should i be looking for individual courses from different providers? And if so, can you provide me with the names of training providers that you have used and you are satisfied with?

Dimitrios Stergiou
  • 391
  • 3
  • 7
  • 2
    haha, "virtual patching", do you also call it getting "virtual pwn3d" when your waf is bypassed? – rook Oct 26 '12 at 04:59
  • 1
    There are external security consultant companies out there that provide training tailor made to your specifications. But I am not sure if naming them here would be appropriate, since I myself have been associated with one of them – sudhacker Oct 26 '12 at 16:09
  • 1
    Secure coding *is* one of a development team's core functions. – AviD Oct 27 '12 at 20:39
  • Unfortunately, this feels a lot like a shopping question which, for better or for worse, is rather verboten on StackExchange sites. – Scott Pack Oct 27 '12 at 21:51

5 Answers5

9

There's a couple of free resources I know about which could be good introductions for this kind of thing. Security Innovations have a free OWASP top 10 CBT, Security compass have something similar here as do Trustwave

Beyond these basic ones at least two of those companies will have more options that are pay for, but these ones could be a good, free, starting point.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
3

I recommend looking at Microsoft's Security Development Lifecycle (SDL). They have a lot of great resources.

Also look at BSIMM and OpenSAMM.

Some related questions and information:

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
2

Check out Safelight Security. They are focused on application security training have an entire curriculum for developers. Full disclosure - I work for Safelight! If you want to get information, you can request it directly from Larry Gorkun lgorkun@safelightsecurity.com.

Bill the Lizard
  • 6,731
  • 4
  • 19
  • 28
Mike Maziarz
  • 21
  • 1
1

Check out Codebashing and their sql injection demo.

They have developed a cloud hosted application security training platform that offers interactive tutorials which also lets developers/students test security issues using sandboxed war games. Very similar to Codeacademy but for application security.

Full Disclosure - I am a content developer at www.codebashing.com

Toby
  • 61
  • 1
-1

Denim Group also does application security training, both through e-training and instructor led onsite classes....I've take the classes, they're pretty good.

RLutchansky
  • 1