This is Frank Kim, SANS Instructor and Application Security Curriculum
Lead, here to tell you about a fantastic opportunity that can seriously
help your organization write more secure code.  As you are certainly
aware, over 70% of the new exploits are coming through the application
layer.  The only effective way to stop these threats is to ensure that
your developers write more secure code.  For this reason, SANS has been
working diligently to build a curriculum for developers in many
different programming languages.

Register by February 18, 2010 for any OnDemand developer course, and
receive our Developer 304: Software Security Awareness course, a $424
value, for free for either you or anyone in your organization.
Additionally, since it is online you will save 100% of the travel costs.
Simply go to http://www.sans.org/info/53789 and use the discount code:
ODC_Dev304

If you are interested in learning more before you purchase the training,
click on this link http://www.sans.org/info/54013 and try one of the
five SANS Mini-Developer courses.  They are each about 30- minutes long,
and you will learn something that you can apply immediately.
Furthermore, they give you a chance to try this training medium to see
if it works for you.

Below is a list of courses available with this offer:

- Developer 422:  Defending Web Application Security Essentials
This course will help you understand the fundamental reasons behind the
Web vulnerabilities which will then enable you to properly defend your
organization's Web assets. Mitigation strategies from an infrastructure,
architecture, and coding perspective will be discussed alongside
real-world implementations that have worked. The testing aspect of
vulnerabilities will also be covered so you can ensure your application
is tested for the vulnerabilities we discuss in class. The key security
problem areas of Web applications will also be covered, as well as new
technology areas such as AJAX and Web Services.

- Developer 541: Secure Coding in Java/JEE
This is a comprehensive course covering a huge set of skills and
knowledge. It's not a high level theory course. It's about real
programming. In this course you will examine actual code, work with real
tools, build applications, and gain confidence in the resources you need
for the journey to improving security of Java applications. Rather than
teaching students to use a set of tools, we're teaching students
concepts of secure programming. This involves looking at a specific
piece of code, identifying a security flaw, and implementing a fix for
that flaw.

- Developer 542:  Web App Penetration Testing and Ethical Hacking
In this intermediate to advanced level class, you'll learn the art of
exploiting Web applications so you can find flaws in your enterprise's
Web apps before the bad guys do. Through detailed, hands-on exercises
and training from a seasoned professional, you will be taught the
four-step process for Web application penetration testing. You will
inject SQL into back-end databases, learning how attackers exfiltrate
sensitive data. You will utilize Cross-Site Scripting attacks to
dominate a target infrastructure in our unique hands-on laboratory
environment. And you will explore various other Web app vulnerabilities
in depth with tried-and-true techniques for finding them using a
structured testing regimen. You will learn the tools and methods of the
attacker, so that you can be a powerful defender.

- Developer 544: Secure Coding in .NET
During this course we will analyze the defensive strategies and
technical underpinnings of the ASP.NET framework and learn where, as a
developer, you can leverage defensive technologies in the framework,
where you need to build security in by hand. We'll also examine
strategies for building applications that will be secure both today and
in the future.

- Developer 536: Secure Coding for PCI Compliance
Throughout the course we will look at examples of the types of flaws
that secure coding protects against, examine how the flaw might be
exploited and then focus on how to correct that code. Coupled with the
lectures, there are more than ten hands on exercises where the students
will have the opportunity to test out their new skills identifying flaws
in code, fixing code and writing secure code. All of the exercises are
available in Perl, PHP, C/C++, Ruby and Java. This will allow the
student to try their hand at any of the major web application coding
languages that they work with in addition to some of the supporting
languages that might be at work behind the scenes. Students are not
required to be familiar with all of these languages but should be
proficient in at least one of them. Lectures are presented using a more
or less code-neutral format.

SANS OnDemand online training and assessments is a great option because
it provides:

- Access to SANS' world class training on your own schedule, in the
comfort of your own home or office
- 4 months of comprehensive SANS training with integrated lectures,
courseware, assessment quizzes, labs and hands-on exercises
- Access to our OnDemand Virtual Mentor and progress reports
- A full set of course books, any applicable hands-on CDs and
downloadable .mp3 audio files to keep even when your online access
expires.

If you have any questions about these courses, please call us at (301)654-7267.  And don't forget to tell your friend and colleagues about these great SANS course offerings.


Regards,

Frank Kim
SANS Instructor and Application Security Curriculum Lead

If your company handles charge cards, double-check your security measures.  Good article.  Link is here.

The registry can be a mysterious and even scary place if you don't understand how it works. If you're an advanced user and want to find out more about all the different registry hives and keys, the different data types, and the different ways of editing the registry, check out Microsoft KB article 256986

Details here.

Microsoft has released a free tool designed to harden software applications against attacks that exploit common security vulnerabilities.
EMET, short for Enhanced Mitigation Evaluation Toolkit, allows developers and administrators to add specific security protections to applications.

http://go.theregister.com/i/cfh/http://www.theregister.co.uk/2009/10/27/microsoft_security_tool/

This is Frank Kim, SANS Instructor and Application Security Curriculum
Lead, here to tell you about a fantastic opportunity that can seriously
help your organization write more secure code.  As you are certainly
aware, over 70% of the new exploits are coming through the application
layer.  The only effective way to stop these threats is to ensure that
your developers write more secure code.  For this reason, SANS has been
working diligently to build a curriculum for developers in many
different programming languages.

Register by February 18, 2010 for any OnDemand developer course, and
receive our Developer 304: Software Security Awareness course, a $424
value, for free for either you or anyone in your organization.
Additionally, since it is online you will save 100% of the travel costs.
Simply go to http://www.sans.org/info/53789 and use the discount code:
ODC_Dev304

If you are interested in learning more before you purchase the training,
click on this link http://www.sans.org/info/54013 and try one of the
five SANS Mini-Developer courses.  They are each about 30- minutes long,
and you will learn something that you can apply immediately.
Furthermore, they give you a chance to try this training medium to see
if it works for you.

Below is a list of courses available with this offer:

- Developer 422:  Defending Web Application Security Essentials
This course will help you understand the fundamental reasons behind the
Web vulnerabilities which will then enable you to properly defend your
organization's Web assets. Mitigation strategies from an infrastructure,
architecture, and coding perspective will be discussed alongside
real-world implementations that have worked. The testing aspect of
vulnerabilities will also be covered so you can ensure your application
is tested for the vulnerabilities we discuss in class. The key security
problem areas of Web applications will also be covered, as well as new
technology areas such as AJAX and Web Services.

- Developer 541: Secure Coding in Java/JEE
This is a comprehensive course covering a huge set of skills and
knowledge. It's not a high level theory course. It's about real
programming. In this course you will examine actual code, work with real
tools, build applications, and gain confidence in the resources you need
for the journey to improving security of Java applications. Rather than
teaching students to use a set of tools, we're teaching students
concepts of secure programming. This involves looking at a specific
piece of code, identifying a security flaw, and implementing a fix for
that flaw.

- Developer 542:  Web App Penetration Testing and Ethical Hacking
In this intermediate to advanced level class, you'll learn the art of
exploiting Web applications so you can find flaws in your enterprise's
Web apps before the bad guys do. Through detailed, hands-on exercises
and training from a seasoned professional, you will be taught the
four-step process for Web application penetration testing. You will
inject SQL into back-end databases, learning how attackers exfiltrate
sensitive data. You will utilize Cross-Site Scripting attacks to
dominate a target infrastructure in our unique hands-on laboratory
environment. And you will explore various other Web app vulnerabilities
in depth with tried-and-true techniques for finding them using a
structured testing regimen. You will learn the tools and methods of the
attacker, so that you can be a powerful defender.

- Developer 544: Secure Coding in .NET
During this course we will analyze the defensive strategies and
technical underpinnings of the ASP.NET framework and learn where, as a
developer, you can leverage defensive technologies in the framework,
where you need to build security in by hand. We'll also examine
strategies for building applications that will be secure both today and
in the future.

- Developer 536: Secure Coding for PCI Compliance
Throughout the course we will look at examples of the types of flaws
that secure coding protects against, examine how the flaw might be
exploited and then focus on how to correct that code. Coupled with the
lectures, there are more than ten hands on exercises where the students
will have the opportunity to test out their new skills identifying flaws
in code, fixing code and writing secure code. All of the exercises are
available in Perl, PHP, C/C++, Ruby and Java. This will allow the
student to try their hand at any of the major web application coding
languages that they work with in addition to some of the supporting
languages that might be at work behind the scenes. Students are not
required to be familiar with all of these languages but should be
proficient in at least one of them. Lectures are presented using a more
or less code-neutral format.

SANS OnDemand online training and assessments is a great option because
it provides:

- Access to SANS' world class training on your own schedule, in the
comfort of your own home or office
- 4 months of comprehensive SANS training with integrated lectures,
courseware, assessment quizzes, labs and hands-on exercises
- Access to our OnDemand Virtual Mentor and progress reports
- A full set of course books, any applicable hands-on CDs and
downloadable .mp3 audio files to keep even when your online access
expires.

If you have any questions about these courses, please call us at (301)654-7267.  And don't forget to tell your friend and colleagues about these great SANS course offerings.


Regards,

Frank Kim
SANS Instructor and Application Security Curriculum Lead

If your company handles charge cards, double-check your security measures.  Good article.  Link is here.

The registry can be a mysterious and even scary place if you don't understand how it works. If you're an advanced user and want to find out more about all the different registry hives and keys, the different data types, and the different ways of editing the registry, check out Microsoft KB article 256986

Details here.

Microsoft has released a free tool designed to harden software applications against attacks that exploit common security vulnerabilities.
EMET, short for Enhanced Mitigation Evaluation Toolkit, allows developers and administrators to add specific security protections to applications.

http://go.theregister.com/i/cfh/http://www.theregister.co.uk/2009/10/27/microsoft_security_tool/