There are too many application security classes that waste time by discussing multiple tools that serve the same purpose, or make application security concepts feel like magic by not addressing the practical application of theory. Using the tools I use and the techniques I've learned from years of application security consulting, I provide training that focuses on bringing theory and reality together to provide a true learning experience.
No one wants to hire a consultant without experience, but it's difficult to gain experience unless you already work in the field, or breach ethical boundaries. This is a challenge that many "green" application security professionals face. My training provides real world experience in a classroom environment, allowing for the growth required to to enter the work force with confidence and a developed skill set.
Above all, training gives me an opportunity to share my passion for application security with individuals who make a real difference in the state of security for the applications that impact our daily lives. From banks, to social media, to government agencies, the opportunity to support those on the front line of application security is a privilege I don't take for granted.
...but don't take my word for it. Scroll down to see testimonials from previous students.
|Jan 25-27, 2017||PWAPT (Developer Edition)||OWASP Boston||Waltham, MA (Boston)||register|
|Q1, 2017||PWAPT (Standard Edition)||OWASP NoVA||TBD||TBD|
Contact me for on-site training opportunities.
PWAPT provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end, an oversight in most web application penetration testing courses. The end result is an individual with the confidence and skill set to conduct consultative web application penetration testing engagements.
The majority of the course will be spent performing an instructor led, hands-on web application penetration test against a target application built specifically for this class using a modern technology stack (Python Flask and React) and including real vulnerabilities as encountered in the wild. No old-school vanilla PHP stuff here folks. Students won't be given overly simplistic steps to execute independently. Rather, at each stage of the test, the instructor will present the goals that each testing task is to accomplish and perform the penetration test in front of the class while students do it on their own machine. Primary emphasis of these instructor led exercises will be placed on how to integrate the tools with manual testing procedures to improve the overall work flow. This experience will help students gain the confidence and knowledge necessary to perform web application penetration tests as an application security professional.
This course has an available Developer Edition that contains the same content as the original PWAPT course (Standard Edition), but adds a full day of code remediation lecture and exercises. The code remediation content includes discussions on the proper techniques for mitigating vulnerabilities, and exercises where the instructor and students will modify the application's source code to implement mitigating controls and test them for effectiveness.
PWAPT is a PortSwigger preferred Burp Suite Training course. PWAPT students will learn basic and advanced usage techniques for Burp Suite Pro, as well as discover obscure functionality hidden within the vast capabilities of the tool. Students will also receive a ~2 week trial license for Burp Suite Pro to use during and after the course.
For additional insight into the origin, mission, and benefits of PWAPT, listen to my interview with Timothy De Block for the Exploring Information Security podcast on the topic of "What is Practical Web Application Penetration Testing?"
Day 3: (Developer Edition only)
@LaNMaSteR53 great PWAPT class. It was awesome getting to learn hands on— Bruce J. Adams Jr. (@brucejadamsjr) September 24, 2016
@LaNMaSteR53 Great investment of time and money: Tim Tomes' PWAPT class. A must for any web app pen tester. I found it highly beneficial.— Sunny Wear (@SunnyWear) May 29, 2016
Go to this, even if you gotta fly. That's what I did. Totally worth it. https://t.co/C1Gi10XvDb— 7 Minute Security (@7MinSec) February 17, 2016
@LaNMaSteR53 Great class! I loved the hands on nature of it instead of just slides and theory as you get with some other classes.— Kevin Lasher (@KevLasher) January 11, 2016
Really enjoyed @LaNMaSteR53's PWAPT training at DerbyCon 6.0. Learned a great deal from the class. Thanks Tim!— hazmat (@lotusr00t) September 22, 2016
@LaNMaSteR53 Thanks again for the PWAPT training, you've bridged the gap between what I learned on my own and what I needed to learn next— 67Shepp (@Shepp67) July 27, 2016
If you build software for a living, check out @LaNMaSteR53 and find a way to attend his training.— James Baxley III (@jbaxleyiii) May 18, 2016
I was looking for an affordable, 100% hands-on Webapp pentest course that would teach me a start-to-finish methodology.#PWAPT was all that!— 7 Minute Security (@7MinSec) January 10, 2016
@lanmaster53 It was definitely fun and informative! Thank you for taking the time and effort to put it together and teach it.— Kevin Ahrens (@kahrens) November 7, 2015
@lanmaster53, Thank you again for an awesome class (PWAPT). I paid for it with my own money --ie not my company -- and it was worth it!— Nancy Snoke (@NancySnoke) September 30, 2015
Wooo, epic nose bleed! Thats all the training from @lanmaster53 being stored in my head, forcing the blood out to make room :)— Steve Loughran (@z0rlac) September 25, 2015