Exploring Web App (In)Security

D     Start Time : 08:30     End Time : 17:30

This tutorial takes the form of a day long exploratory security test of a deliberately insecure application and aims to introduce testers to the ideas and concepts of web security testing . Through a range of both theoretical and practical exercises based around a target application, participants will learn how to model threats, identify and exploit vulnerabilities through real world examples and examining the OWASP Top 10.

We’ll start the day building a threat model that highlights the areas we need to protect, enumerating threats important to our context. From here we will start to plan and execute security tests to explore threats. As we look at different threats, we’ll cover the appropriate practical techniques and theory and then apply these in practical exercises against our application. As we find security problems we’ll examine the issues around reporting security problems.

The day will be a fun and highly practical one where we will cover a range of security testing techniques including common techniques such as Cross Site Scripting, Request Forgeries, Session High-jacking and many others. We will also start building your security testing toolkit from freely available tools.

This tutorial is suitable for any tester and test leads who is looking to extend their skills into security testing. No prior experience of security testing is required but a curiosity and interest in the topic is essential. The course will focus primarily on testing the security of web applications so an understanding of modern browsers, HTML, JavaScript, HTTP and SQL would be useful (a pre-tutorial primer will be available covering these).

Want to attend? Book your Conference Place

To attend this session, please choose Tutorial D on your registration form.

  • Speaker


    Bill Matthews - Consultant, Target Testing Ltd, UK

    Bill Matthews has been a freelance test consultant for over 15 years working mainly on large migration and integration projects as a Test Architect, Manager and Technical Tester. He spends much of his time focusing on helping companies deliver the more technical elements of system and operational testing such as integration, performance and security.

    He is a regular speaker at testing conferences mainly on technical topics such as web and mobile security and teaches course on both Web and Mobile Application Security.