You can be as thorough or as simplistic as you would like. Dojo is designed to provide practical, hands-on exercises on web security and intrusion techniques. LSO also offers video demonstrations of using common attack tools as part of their comprehensive training offerings. Its sole purpose in life is to put as many security tools at your disposal with as many training options as it can. Every Monday at 8:
Other Security Training
Have a look through our postings below for announcements of their availability. For more information on ShmooCon, see its description on our Infosec Conferences page. SANS provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and networks against the most dangerous threats — the ones being actively exploited. The courses are full of important and immediately useful techniques that you can put to work as soon as you return to your offices.
They were developed through a consensus process involving hundreds of administrators, security managers, and information security professionals, and address both security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of IT security.
SANS training can be taken in a classroom setting from SANS-certified instructors, self-paced over the Internet, or in mentored settings in cities around the world. Classes range from a few days up to an entire week. Additionally, many certified local SANS instructors offer similar training in a once-a-week fashion versus a week long session.
Each of their training sessions can lead to certification. Although their briefings get all the press, BlackHat also offers top training from various security vendors. Their DC conference is no exception. For more information on Offensive Security, see its description on our Infosec Organizations page. Periodically, they give training throughout the NoVA area. For more information on Foundstone, see its description on our Infosec Organizations page.
Formal Education Many local universities offer bachelor and graduate level specializations in infosec. Here is a list of local universities along with links to their related programs: This university offers numerous Bachelor and Graduate level infosec courses as summarized on their main infosec page. For example, the Computer Security and Information Assurance one provides a coordinated four-course sequence in computer security and information assurance that emphasizes concepts in Computer Security augmented with current industry standard techniques and challenges.
Other Security Training Since training can be done locally as well as from afar now a days, here is a list of virtual offerings. This site is the open source project center for the Penetration Test LiveCD project supported by the commercial training offerings at Heorot. The PenTest LiveCDs provide those interested in learning how to PenTest the opportunity to practice and learn against servers in a real-world scenario.
This project has been presented at security conferences across the US, and is detailed in the new book: For more information on Heorot, see its description on our Infosec Organizations page.
It comes as a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. It can also be run within virtual machine environments, such as qemu or vmware. Its sole purpose in life is to put as many security tools at your disposal with as many training options as it can. DVL is highly integrated into the community project crackmes. New lessons can be obtained from or submitted to the DVL site.
The distribution is ideal for both novices and professionals but a basic knowledge of Linux is needed. Hacme Bank is designed to teach application developers, programmers, architects and security professionals how to create secure software. This allows users to attempt real exploits against a web application and thus learn the specifics of the issue and how best to fix it.
The web services exposed by Hacme Bank are used by our other testing applications including Hacme Books and Hacme Travel. Foundstone Hacme Travel is designed to teach application developers, programmers, architects, and security professionals how to create secure software. Hacme Travel simulates a real-world travel reservation system, which was built with a number of known and common vulnerabilities such as SQL injection and buffer overflows.
Foundstone Hacme Shipping is a web-based shipping application developed by Foundstone to demonstrate common web application hacking techniques such as SQL Injection, Cross Site Scripting and Escalation of Privileges as well as Authentication and Authorization flaws and how they are manifested in the code. Foundstone Hacme Casino is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.
This extensible online casino platform is written using Ruby on Rails and demonstrates the security problems that can potentially arise in these applications. Foundstone Hacme Books is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security. As a full-featured J2EE application, Hacme Books is representative of real-world J2EE scenarios and demonstrates the security problems that can potentially arise in these applications.
Damn Vulnerabile Web App: From Maven Security, This is a free open-source Virtual Box self-contained training environment for web application security penetration testing. It contains both the necessary tools and targets. It basically contains various web application security testing tools and vulnerable web applications that were added to a clean install of Ubuntu v9. Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for: Well you could either install and configure all the applications above or just load up this VM which not only offers many of the apps above but also versions of others e.
This is an effort to provide a wealth of applications with known vulnerabilities for those interested in: All the while saving people interested in doing either learning or testing the pain of having to compile, configure, and catalog all of the things normally involved in doing this process from scratch. Online Web Applications TestFire: This is the Altora Mutual online bank that is open for people to play with. Click on Show Solution to display the solution to a scenario; Show Plan provides additional didactic information.
Show Source familiarizes you with the source code, and Restart Lesson launches the active task again. WebGoat Stop from the menu stops the service. Google Gruyere and McAfee's Hacme Casino are two other toolkits for learning protection technologies for web pages.
You have to manually launch these tools via the Targets menu before the web pages are available in Firefox. Gruyere, which is named after the cheese, portrays several typical methods for hacking a website and familiarizes you with solutions that prevent such attacks.
Hacme Casino is extremely playful and looks like a gambling website; however, it also serves as a learning tool, letting the user trace through some common attack techniques. A detailed manual for Hacme Casino is available in English with many practical examples . In the Tools menu, you will find a wide range of tools and scanners for your own research. These tools includes the security scanner Arachni, the browser exploitation framework BeEF, the Metasploit Framework, and the w3af framework — including a command-line version.
DirBuster, an application written in Java for brute force attacks, and BurpSuite are also available. The manufacturer has put a lot of effort into documentation for Web Security Dojo. The documents and videos make it easier for beginners to install and get acquainted with the system. Instructions for the main suites and frameworks are available in the Documentation folder. The Zim desktop wiki is available for you to record your own notes. To launch Zim, click the Zim icon on the desktop.
The Dojo Foundation has just released version 1. You need to think like an attacker to keep your network safe. We asked security columnist Kurt Seifried for an inside look at the art of intrusion. Infrastructure as Code with Terraform. Announcement may open doors for more mainstream applications to adopt Ubuntu's Snap package system.
Learning about web security with Web Security Dojo Protecting your own websites from attack either costs a lot of money or requires a lot of expertise. The image creates a preconfigured virtual machine. Dojo provides the proxy services that are required for some applications in the form of Firefox add-ons.
DVWA provides an initial overview of attack scenarios. WebGoat is more suitable for advanced users. Related content Introduction This month in Linux Voice. The two foundations join forces to expand their efforts to reach young people.
Visit Our Shop Trial Subscription.