SANS Mentor brings Security 542: Web App Penetration Testing and Ethical Hacking (GWAPT) to Cleveland

Filed under Application Security
Tagged as , ,

I’m proud to be teaching SANS Security 542 here in Cleveland through the SANS Mentor Program beginning in August. ┬áThe SANS Mentor Program allows you to save thousands on your training budget and still experience live SANS training on the GWAPT classes – live training without traveling!


Security 542: Web App Penetration Testing and Ethical Hacking
Start date: Thursday August 23, class will run over 10 weeks, 6:30-8:30pm
Details and tuition visit:

Where: SecureState
23340 Miles Road
Cleveland, OH 44128

This local course will be offered in a multi-week format via the Mentor Program. Each week I will answer questions and assist you with hands on labs and exercises during the class. Mentor courses give you the opportunity to participate in SANS training without the expense and inconvenience of travel or being out of the office during the workday.

An outline of the class is as follows:

– Learn an attack methodology and how the pen-tester uses JavaScript within the test
– Study the art of reconnaissance, specifically targeted to Web applications.
– Start the discovery phase with a focus on application/server-side discovery.
– Flash objects and Java applets.
– Exploitation

The class wraps up with a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site.

I hope you can join me in August and earn your GWAPT Certification in 2012!

Are We Reaching Security Conference Overload?

Filed under Conferences
Tagged as , , , , ,

I saw a post from my friend Matt Neely on Twitter about how CarolinaCon and BSidesROC are on the same weekend this year. I’ve also had conversations with others earlier this week about DerbyCon (September 28-30) and GrrCon (September 27-28) being back to back as well. This is a trend that seems to be increasing every year based on the large pool of conferences out there. Not only do we have more security and hacking conferences then ever before but now there is more overlap with each other. My thought is that these choices can make it harder for researchers to present new and relevant content and also tough to decide which conferences to attend from a attendee perspective. DerbyCon was an excellent conference but I’ve also heard great things about GrrCon as well. Which conference would a speaker or attendee choose? They are also both located in the central part of the country and near large cities which makes it even more difficult for local folks to choose.

On the other hand because of Security BSides and other smaller conferences over the years more unknown speakers are getting out there. We’re also seeing more great talks and discussions then ever before because of these smaller conferences. This is a good thing for our industry. Many good talks still get rejected from the big conferences like Black Hat and this is where conferences like Security BSides really shine. However, we potentially run the risk of seeing the same speakers, same content and as Matt said we appear to have an “echo chamber problem” at all of these conferences including the big ones. Is anyone else seeing this trend? Does the overlap of multiple security conferences matter to you? Like any trend in technology are we about to bust the “Security Conference Bubble”? I often wonder what the security conference world will look like in a few years if this trend continues.

New reading material just arrived!

Filed under Mobile Security
Tagged as


I hope to do a review of this book soon. So far it looks to be a good technical read.