the most trusted source for computer security training, certification and research
select a course
Las Vegas, NV - May 31 - June 9, 2008
Global Information Assurance Certification

Real life - real solutions changed the way I look at security.
-Richard B. Williams, US Army ALTESS


Additional Summit Offered in Las Vegas: Two Great Summits! Please visit the WhatWorks in Web Application Security Summit 2008 page for more information.
Ed Skoudis

SANS WhatWorks in Penetration Testing & Ethical Hacking Summit

with Ed Skoudis

Dates:
Pre-Summit Courses: May 31 - June 1
Summit: June 2-3
Post-Summit Courses: June 4-9
Summit Venue:
Paris Hotel
3655 Las Vegas Blvd So.
Las Vegas, Nevada 89109
Phone: 877-603-4386
Website: http://www.harrahs.com/casinos/paris-las-vegas/

Multi-Summit Pass

Add on the Multi-Summit Pass Feature to your Pen Testing Summit registration and get the benefits of two great Summits. You will be able to move between both Summits and choose the talks and panels that will bring the greatest benefits to you and your company.

Learn more about the SANS WhatWorks in Web Application Security Summit.

Table of Contents

Summit Overview

To secure their infrastructure and meet compliance requirements, enterprises increasingly rely on comprehensive penetration testing and vulnerability assessments. Various regulations, the Payment Card Industry standards, and basic due diligence require finding security flaws through the use of assessment and penetration testing methods before malicious attackers find them. But, without skilled personnel, a professional and repeatable process, and trustworthy tools, penetration testing is a shot in the dark and could be dangerous to enterprise operations. The SANS Penetration Testing and Ethical Hacking Summit brings together industry leaders to help enterprises get the most out of their penetration testing. We'll discuss the latest processes and technologies for effective vulnerability discovery and remediation throughout an enterprise. In a series of highly interactive sessions, expert penetration testers and enterprise personnel will share lessons learned from the trenches with the goal of helping others improve their testing operations. Detailed Q&A sessions will let attendees grill the experts to get deep into policy, process, and technical aspects of testing. Several case studies will illustrate best practices as well as techniques to avoid. Vendor shoot-outs provide an opportunity to ask hard questions to determine which tools best meet business and technical requirements. Whether your organization performs penetration testing in-house or relies on third-party testing companies, this SANS Summit will help you maximize the value of your testing budget.

What Will You Learn at the Penetration Testing and Ethical Hacking Summit?

  1. Methods for ensuring comprehensive, repeatable tests and assessments.
  2. Real-world testing techniques from industry-recognized experts to find vulnerabilities while minimizing the chance of disruption of target systems.
  3. Details about products and free tools that should be on your short list for use in effective penetration testing and vulnerability assessments.
  4. An understanding of the various components of comprehensive testing, including network and web application analysis.
  5. Lessons learned from tests in large- and medium-scale environments.
  6. Practices of penetration testing pioneers that push the envelope in developing new tools and techniques for finding flaws.
  7. Current trends in malicious attacks and how our penetration testing processes must adapt based on them.

Questions to Be Answered at the Summit

  1. How can I improve the efficiency of my penetration test regimen, so that I can evaluate more systems in less time?
  2. What are the latest exploitation techniques for network and web application testing, and how can I incorporate them into my testing?
  3. What processes and tools can I use to evaluate client-side vulnerabilities in browsers and related programs?
  4. What criteria should I use to select a penetration testing company that can best meet my business needs?
  5. What are some of the best and latest techniques for doing detailed reconnaissance? Scanning? Exploitation?
  6. How can I leverage free, open-source tools along with commercial tools to maximize my results?
  7. How can I conduct tests across large enterprises, scaling to have maximum effect with limited resources?
  8. What techniques can help limit the risk of crashing a service or otherwise impairing target machines during a test?
  9. What options should I include in the scope of tests, such as server-side tests, client software tests, web applications, network penetration tests, and social engineering?
  10. What are the biggest gotchas that cause test problems, and how can I avoid them?
  11. How can I formulate my findings to have maximum impact in improving the security of the target organization?
  12. What will the next generation of exploits and tools look like?
  13. How can I evaluate various commercial scanning and testing tools that will best fit my environment and business needs?
  14. What are the implications of recent legal changes regarding vulnerability assessment tools in various countries?

Who Should Attend?

  • In-house penetration testing personnel who need to understand the latest tools and techniques for efficiently finding and remediating vulnerabilities.
  • Auditors who need to understand vulnerability scanning tools and procedures, as well as interpreting their output during audits.
  • Managers responsible for leading in-house or third-party penetration testing and vulnerability assessment operations.
  • Third-party penetration testers looking to learn about the latest testing procedures and tools to improve their skills.
  • Consultants tasked with helping their clients find vulnerabilities on their intranet and Internet using penetration testing, vulnerability assessment, and ethical hacking

Pre and Post Summit Courses

Register for these in-depth SANS secure programming courses both preceding and following the Summit and really get the most out of your training budget.

Tactical Exploitation Training
You 'might' find another course that covers the tactics of exploitation. But you will rarely have the opportunity to learn the secrets of tactical exploitation directly from the industry giants. The instructors for this course are legends in information security - HD Moore, founder of the Metasploit Project and one of the core developers of the Metasploit Framework and Valsmith, founder of Offensive Computing, a public, open source malware research project.
Secure Web Services for Managers
SP 800-95 gives solid architectural guidance, it is a break through document, but the content is beyond the reach of most managers. When we read terms like SOA, SOAP, TLS, XML, XACML, UDDI, WSDL our eyes glaze over even though we know this is really important material. SANS wants to help. For this inaugural event, we have enlisted one of SANS top instructors, Dr. Eric Cole, a fellow of the SANS faculty to break it down for you step by step. By the end of the class you will understand secure web services and will be ready to ask your web team the right questions and give the right guidance. There are no prerequisites, some basic IT and IT Security previous knowledge is assumed. However, there is read ahead material for students that do not have an IT background and we highly recommend that look that material over before attending.
Network Penetration Testing and Ethical Hacking
Security vulnerabilities such as weak configurations, unpatched systems, and botched architectures continue to plague organizations. Enterprises need people who can find these flaws in a professional manner to help eradicate them from our infrastructures. Lots of people claim to have penetration testing, ethical hacking, and security assessment skills, but precious few can apply these skills in a methodical regimen of professional testing to help make an organization more secure. This class covers the ingredients for successful network penetration testing to help attendees improve their enterprise's security stance.
Hacker Techniques, Exploits & Incident Handling
This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.
Advanced Web Application Penetration Testing
Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited web sites altered by attackers. In this intermediate-to-advanced class, you'll learn the art of exploiting web applications so you can find flaws in your enterprise's web apps before the bad guys do.
Web Application Security Workshop
How do you protect your Web applications? Our Web application security workshop is a 2-day hands-on, action packed course covering the common vulnerabilities that are leveraged by attackers, the principles of securing Web applications, and general defense techniques to protect against future attacks. This course will help you understand the mechanics of the components necessary for effective Web application security which will then enable you to properly defend your organization's assets.
Web Application Penetration Testing Fundamentals
Successful attacks against websites using application level flaws are very common nowadays. Would you want hackers to be the first to test the security posture of your critical web applications? If you don't, security testing for web application during and after development is absolutely necessary. This two day course starts off with a discussion on software security testing and how it fits into the development lifecycle. We will discuss testing methodologies that are sensible and practical, so you can apply these testing concepts to any of your web applications.
Defensive Programming and Secure Design
This two-day course provides developers a strong foundation in software security as it relates to the implementation of applications. Designed with detailed examples and exercises, this class focuses on the right way for developers to think through security problems. It does this with a combination of structured theory, animated demonstrations, technical deep-dives, and illustrated explanations. It connects the habit of "building security in" through proven programming practices and explains common security-related problems in detail so that software engineers can avoid them in their own work.
Software Security Awareness
This awareness course discusses design and implementation of software applications to reduce the risk from hackers and attacks. The concept is to engineer software so that it continues to function correctly under malicious attack. This course introduces defensive coding and tips to avoid creating problems or vulnerabilities. We also examine the most common flaws of software design and implementation, and you will learn about specific practices to avoid those flaws.

How Good Are SANS Summits?

Here's more from people who attended the last Summit:

  • This Summit provides an excellent means to stay informed on what is available today; and what the current and emerging issues are.- Yong Choe, SAIC
  • Excellent presentations of practical experiences.- Rich Lansing, Bloomberg