Hello everyone,

It has been some time since I last posted on EH.  I am glad to see that some of the familiar faces are around. 

I was hoping to get some advice.  I am looking for training options for a developer without much security experience.  I would love something that goes over secure coding practices, especially in web applications.  The course would need to not only cover potential vulnerabilities but also present options for fixing them.  As an additional request, it would be great if the class could work as a segue into future webapp penetration testing training.

SANS is out because of their price range unfortunately.  SensePost has some good options, but they are based out of South Africa.  I am trying to find something that is either online or offered in the Southeast US. 

Thanks in advance

Welcome back.

It's too bad SANS is off the table because the GWEB course is probably exactly what you're looking for.

eLearn and WAHH are great resources, and while not exactly what you're looking for, may be the closest you can get on a budget.

Also, just pick up a good development book on whatever language(s) you're interested in. Every decent one I've seen discusses security information along the way. The best way to learn something like that is to do some actual development omitting security checks and controls and then go back and add them in after you see what the impact is.

Welcome back ketchup!!

Just to be 100% clear, you are looking for a course on coding best practices and not pentesting web applications, isn't?

I searched for this a little while ago and ended up buying a few books. There aren't many classes on the topic. There are about 20 things you can do while designing systems and coding that will prevent 99% of attacks. And really, once you start to systematically filter inputs and encode outputs, things are already looking very good.

I also gave classes to my co-workers (web app developers) about security best practices. What I found is that if they don't understand the vulnerabilities, they won't understand why they have to change the way they code. For example, telling them to use prepared statements to prevent SQL injection won't do much to them unless they can see, with their own eyes, how bad SQL injection can be.

So to me, the best option is for you who knows about security, to go through a book or two and teach your team how to code securely.

Otherwise, if this is not an option, OWASP has some members that offer courses. App Sec USA will be held in NYC on November 18-21. They offer many classes on the topic for half the price of a SANS course.

You can also look at CAST, they often offer training in US: http://www.eccouncil.org/training/advanced_security_training/courses/cast-613.aspx

Good luck!