Not really what you asked for, but I hope this is helpful...

Check out the OWASP Podcast: http://www.owasp.org/index.php/OWASP_Podcast

I find this to be one of the more professional podcasts out there.  Although OWASP is ostensibly focused on Web Application Security, more general software security is definitely a well represented topic.  Also, if you aren't already familiar with OWASP, I highly recommend that you spend some time with this organization (reviewing the site, joining mailing lists of projects that interest you, joining a local chapter <if available in your area>).

19 Deadly Sins is a strong book.  You also might want to check out Software Security by Gary McGraw.

http://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705

Hope this helps.

Seth

Glad to help.  Yup, many hiring managers and, moreover, recruiters seem to be aware only of the CISSP when it comes to security professionals.  I take it as a given that the CISSP is required to get my foot in the door at almost any place of employment.  Sad, but often true.  Keep up the hard work and studying, and I'm certain you will be successful. 

Seth

Good to meet you.  Sounds like you are making some very good career choices early in the game.

This is certainly my own opinion, but I'm not sure how much value you would get out of adding the SSCP to your CV. 

To me the SSCP and Security+ are comparable (at least on the CV).  The CISSP, on the other hand, seems to be considerably more prestigious, and is often a requirement for both managerial and technical positions alike (no comment on the merit of requiring pen testers to have a CISSP... ).

Given the amount of studying you have done thus far (one chapter left), I would recommend that you knock out that last chapter of SSCP, and then go study the additional 3 domains that comprise the CISSP.  Though you don't yet have the requisite experience to be granted the CISSP, you will be awarded the "Associate of ISC(2)" credential, which can be converted to a full blown CISSP if you gain the experience requirements within 6 years of passing.

Might be a bit more work, but I think the CISSP will be much more helpful in the long run, and since you have already studied most of the material...

Here is the brochure for the Associate of ISC(2):
http://www.isc2.org/uploadedFiles/Credentials_and_Certifcation/Associate_of_(ISC)2/Associate%20of%20(ISC)2.pdf

Hope this helps.

Seth Misenar

Dark_Knight:

Glad to help. Thanks for the email follow up.  Very glad to hear that everything got worked out.  Look forward to working with you as the you progress through the class.  I expect you will be very pleased from here on out.

Thanks,
Seth misenar

Dark_Knight:

Sorry to hear of the issues you encountered.  First, I should openly state that I am not a SANS employee, but a contractor.  I am one of the OnDemand Virtual Mentors that provides backend content support to 560 amongst other courses.  I also regularly teach, once a month, for SANS (401, 504, 560, 542)...

Needless to say I am biased towards SANS and have a vested interest in the students/clients being happy.

That being said, I can answer any technical questions you might have regarding the 560 class or the OnDemand delivery.

You mentioned asking about the format of the labs.  One thing I think you will very much appreciate about the OnDemand delivery method of 560 is that you have access to the normal course labs for the entire duration of your course access (4 months).  Should you have any problems, questions, or just want a bit of extra practice with any one exercise you can practice at any time day or night throughout the entire 4 months of access.

You will connect to the lab network via an OpenVPN connection.  There are actually two different lab networks: the first network/connection is used for all labs encountered during days 1-5 of the course; the second is used exclusively for the capture the flag event.

Please let me know if you have any additional questions regarding this course, OnDemand, or anything else.  Sorry again for the sour taste your initial customer service interaction left in your mouth.  If there is anything that I can do to help, please contact me.

Feel free to PM me or email me at first initial + last name @sans.org should you have any additional questions (should be pretty easy to grep given my obscure handle SethMisenar ).  Also, if the questions might benefit others at EH then please feel free to respond to this post with additional questions, though I admit that the frequency with which I monitor these forums seems to wax and wane with how busy my schedule is.

One last note... If you ever have customer service issues with SANS always feel free to email Stephen Northcutt, president of SANS, at stephen@sans.edu.  Do keep in mind that he is incredibly busy and travels throughout the world teaching, but he is always available to ensure that SANS provides quality customer service.

Regards,
Seth Misenar

Sorry for being a bit tardy on providing the link... I imagine that everyone that wanted to catch it has already listened in.  However, here is the link for the direct audio download: http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-episode144b.mp3

Of course, you can also catch it via Itunes.  Just look for episode 144.

Also, expect a follow up segment that delves into more technical meat.

Thanks,
Seth Misenar

Sorry to hear that you might not get the expected training.  One thing I was able to do to get SANS training when budgets were tight was to offer to serve as a facilitator.  Getting a course, certification attempt, and OnDemand access for $700 can certainly be a cost effective means to get SANS training.  On top of showing initiative and sense of frugality, you get to network with other facilitators and to some extent instructors.

There are other write-ups on Ethical Hacker about serving as a SANS Facilitator that can provide additional information on the experience. 

Hope this helps.  You might have already been aware of the facilitator option, but I've found there are quite a few folks that don't realize this is an option.

You can apply for a workstudy slot here: http://www.sans.org/training/volunteer.php

Regards,
Seth Misenar

The live stream of the weekly podcast was last night.  It will be edited and posted soon.  You will be able to download it through ITunes, just search for PaulDotCom and look for episode 144.  I will try to remember to come back in and post the direct download .mp3 link when it is added.

Thanks for the interest. 

Seth Misenar

Adrian Crenshaw on his site, http://www.irongeek.com,  has a good list of intentionally vulnerable web applications. 

He even has started work on Mutillidae, which is a PHP, Apache, MySQL application that intends to illustrate the OWASP Top 10 vulnerabilities.

http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security

Hope this helps.

Seth Misenar

Just wanted to let you all know that I will be a guest on the PaulDotcom Security Weekly podcast tonight.  I will be leading a technical segment on w3af, which is a very nifty free/open source tool for web application scanning/exploitation.

The live stream should go up around 1845 EDT with the show starting around 1900EDT.  Further details can be found here: http://pauldotcom.com/security-weekly/

Hope to see you there.

Seth Misenar

d3l0n:

Looks like the current expectation for SEC542 going live in OnDemand is May. 

As some of you know, Kevin got sick and was unable to teach day 3 at SANS 2009.  I stepped in and taught that day, but this means that audio for day 3 of the new 6 day class has not yet been recorded.  I believe that the next opportunity for a Day 3 recording of Kevin teaching is at SANS Security East (New Orleans) in May.

Hope this helps.

Regards,
Seth Misenar

SANS Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them

Not sure when this was released, but I am sure that it was pretty recently.  From the title I wasn’t really expecting much, but was pleasantly surprised by the clarity with which the tips were explained.  Frank Kim and Ed Skoudis co-authored this pithy 6 page paper.

Here is the description from the SANS Reading Room:

Many web application vulnerabilities are a direct result of improper input validation and output filtering, which leads to numerous kinds of attacks, including cross-site scripting (XSS), SQL injection, command injection, buffer overflows and many others. This article describes some of the best defenses against such attacks, which every Web application developer should master.

This offering looks to be part of a new series from SANS entitled, Working Papers in Application Security. I am looking forward to future papers if they are written as lucidly as this one.

Here is the link to get the document: http://www.sans.org/reading_room/application_security/protecting_web_apps.pdf


http://www.contextsecurity.com/2009/03/10/sans-protecting-your-web-apps/

Seth Misenar

apollo: I will see you there...  I am serving as TA for 542.  Class is going to be great fun...

Seth

Thanks for the response, all.  I definitely had fun with the title/description, and hope that it will be great webcast.

Chris (congrats on the write up in DarkReading, btw)
542 is going to be made available via OnDemand.  The 6 day version of the course is being taught next week in Orlando for the first time.  Audio is going to be captured for use in OnDemand/Self Study.  542 is listed on the OnDemand upcoming courses http://www.sans.org/ondemand/upcoming.php (though something tells me that the Feb mark is going to have been missed slightly). 

The change that has me most excited about the new 6 day version of the course is that Day 6 will be Capture The Flag.

Also, though I have not read through all of the updated material yet, the course just feels more polished than when it was a 4 day course.  The layout and flow just seems to have a lot of forethought.  The previous 4 day version of the course was great, don't get me wrong, but this version just feels like what was always intended.

If you can't tell, I am pretty excited about the new version and serving as the TA in Orlando.

Let me know if I can answer any more questions about the course or webcast.  Hope to see you all online on the 18th.

Right, gotta finish packing for my 630 AM flight to Orlando in the morning.

Thanks,
Seth

Just wanted to let you all know about my upcoming SANS webcast.  This webcast will provide an overview of the freshly updated 542: Web Application Pen Testing course that I will be teaching at SANS Secure Europe (Amsterdam) in May.  In addition to the preview, we will also be running through some actual content from the course on XSS Frameworks and zombie recruitment in general.

Webcast will run on 03/18/2009 at 10 AM EST

Here is the info from the site: https://www.sans.org/webcasts/show.php?webcastid=92328

Webcast Overview:
Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit
Featuring: Seth Misenar

In this preview to the newly updated SEC542 Web Application Penetration Testing course being offered in Amerstdam, you will learn how build and control your very own zombie battalion/Army of Darkness. The discussion will start with a whizz|bang overview of the new 6 day version of SEC542, and quickly move to XSS Frameworks and, of course, zombies galore. Whether you are excited or petrified by the prospect of zombies, join Seth Misenar for this hour long webcast. As Bruce Campbell/Ash of Evil Dead fame would say, "Groovy".
Speaker Bios:

Seth Misenar:

When not watching zombie films, Seth Misenar serves as Founder/Lead Consultant for Context Security, which provides information security though leadership, independent research, security training, and security consulting services. His background includes network and web application penetration testing, vulnerability assessment, regulatory compliance efforts, security architecture design, as well as general security consulting. He has previously served as both a physical and network security consultant for Fortune 100 companies as well as the HIPAA and Information Security Officer for a state government agency.

In his former life, Seth received a B.S. in Philosophy from Millsaps College where he was twice selected for a Ford Teaching Fellowship. Also, Seth is no stranger to certifications and thus far has achieved credentials which include, but are not limited to, the following: CISSP, GSEC, GCIA, GCIH, GCWN, GCFA, GHTQ, GWAS, and MCSE credentials. He has previously taught numerous SANS classes including SEC401: Security Essentials, SEC504: Hacker Techniques, and SEC542: Web Application Penetration Testing. In addition to serving SANS in an teaching capacity, Seth also serves as both Virtual Mentor and Technical Director for SANS OnDemand.

Register for this webcast here:
https://www.sans.org/webcasts/show.php?webcastid=92328