>>

Introduction into security testing (3-day course)

Who is this course for?

This course is suitable for IT professionals who have knowledge and experience in at least two of the following disciplines: engineering, infrastructure, testing and test tooling. They must be able to operate at higher vocational/university level.

Result

Computest courses really capture the participants’ imaginations by immersing them in the hacker mindset.

Onno Wierbos, Manager non-functional testing at NS

After completing the course, the participants will have an understanding of the what and why of security testing and they will have experience of the testing itself. They will be able to perform security testing independently.

After the course, they will be able to:

  • Analyse an application/process from the point of view of security testing;
  • Provide input about security risks on a project;
  • Advise on security testing for a project;
  • Advise on the necessary tools and actually use the most important tools;
  • Interpret the results (of test performance and tooling) – for example, filtering out false-positives;
  • Perform substantive technical security tests on a wide range of components.

Price, dates and location

The course costs €2400 per person. We run the course on three consecutive days so that participants can really leave their daily work behind and focus completely on the world of hacking. We provide a pleasant and relaxed learning environment. The courses are held at the Computest office. We have a beautiful space available for this purpose with a roof terrace, and we also serve a delicious lunch. In-company training can also be delivered at the customer location.

Programme: theoretical framework

In order to perform security tests in practice, the testers first need to have a framework within which to place the security testing. This theoretical framework is needed to ultimately formulate and implement comprehensive test cases.

Matters that will be covered in this section:

  • Context and sketching the landscape. What do the typical security threats to an organisation consist of?
  • Security and risks: how is security discussed in an organisational context? Which risks need to be addressed?
  • What tools are there to address those risks, and what role does testing play in this?
  • Which types of security testing are there, and when is which type appropriate?

Programme: practical knowledge

After sketching the theoretical framework, we will turn to practice. The breakdown will be about 25% theory and 75% practice. During the practical components, the testers will experience for themselves which vulnerabilities we observe in web applications and infrastructure and how a tester can test for them him/herself (manually and with the help of tools). The exercises will mainly consist of challenges which the testers can tackle independently.

The course will include the following elements:

  • What does a security test on an infrastructure, mobile app, web application or API endpoint look like in practice?
  • Identifying the attack surface of an infrastructure (e.g. port and protocol scanning).
  • Looking for configuration problems in an infrastructure.
  • Looking for any hidden services in an infrastructure (e.g. firewall evasion and service discovery).
  • Testing whether sensitive data are adequately protected when they are sent between the client and the server (e.g. SSL/TLS configuration vulnerabilities).
  • Testing the authentication layer (e.g. authentication bypass and brute-forcing).
  • Testing whether authorisation controls are applied consistently and correctly (e.g. identifier-based authorisation and enumeration).
  • Testing for various session-related vulnerabilities (e.g. cross-site request forgery, session hijacking, CORS).
  • Testing for some defence-in-depth and configuration vulnerabilities (e.g. cookie flags, brute-force protection and session management).
  • Testing for various injection vulnerabilities (e.g. SQL injection and cross-site scripting).

Training by our hackers

The most important thing that sets our courses apart is that they are taught by our own ethical hackers with programming knowledge. Our trainers are first and foremost passionate hackers who apply their skills to complex security projects on a daily basis. And who better to train a developer than a hacker?

Thanks to the enthusiasm with which they communicate their knowledge and vividly illustrate it with examples and practical situations, they are valued as trainers and guest speakers. Our trainers work at and are educated to higher vocational level/university level and are selected for their good communication and social skills.

Our vision of learning

We strongly believe in ‘learning by doing’. A theoretical framework is important for placing security testing within the security domain. But in order to really make the world of hacking tangible and increase security awareness, it is important to get the participants involved in practical assignments. At Computest, about 75% of the course consists of hands-on training.

With the help of interactive sessions and a range of challenges, participants learn to hack, draw up security plans and/or carry out tests. Our trainers supervise them intensively during the assignments and answer questions so that they can work independently in practice.

Assuring quality

Daan Keuper is responsible for the overall quality of our training. He is a top hacker; he has finished third in global hacking competitions three times and made the news by finding vulnerabilities in the iPhone and in a passenger vehicle. He also has over 10 years of experience in delivering security and other training courses for technical and non-technical participants.

Daan develops the customised courses, provides the teaching materials and constantly keeps them up to date. He delivers courses himself and is also responsible for selecting, training and supervising other trainers. Daan regularly sits in on courses to monitor their quality and the professionalism of the trainers and to provide guidance where necessary. We also ask our participants for feedback after each course by means of an anonymous tool. This feedback is discussed by Daan and the trainers in order to further improve our courses.

Customisation

Tailor-made courses are always an option, for large or small groups. Thanks to the broad knowledge we have in-house, we can provide courses for all kinds of target groups and to a very high technical standard. Courses can also be focused on a particular topic, for example mobile apps. As such, you will always be able to find an appropriate course or have one tailored to your needs. Please contact us to discuss the options.

Register or more information?

Computest Trainingen

Want to know more? Contact us!