There are too many application security classes that waste time by discussing multiple tools that serve the same purpose, or make application security concepts feel like magic by not addressing the practical application of theory. Using the tools I use and the techniques I've learned from years of application security consulting, I provide training that focuses on bringing theory and reality together to provide a true learning experience.
No one wants to hire a consultant without experience, but it's difficult to gain experience unless you already work in the field, or breach ethical boundaries. This is a challenge that many "green" application security professionals face. My training provides real world experience in a classroom environment, allowing for the growth required to enter the work force with confidence and a developed skill set.
Above all, training gives me an opportunity to share my passion for application security with individuals who make a real difference in the state of security for the applications that impact our daily lives. From banks, to social media, to government agencies, the opportunity to support those on the front line of application security is a privilege I don't take for granted.
...but don't take my word for it. Scroll down to see testimonials from previous students.
|Sep 20-21||PWAPT (Conference Edition)||DerbyCon 7.0||Louisville, Kentucky||register|
|Oct 11-13||PWAPT||OWASP Boston||Boston, Massachusetts||register|
|Oct 25-26||PWAPT (Conference Edition)||Wild West Hackin' Fest||Deadwood, South Dakota||register|
Contact me for on-site training opportunities.
PWAPT provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end, an oversight in most web application penetration testing courses. The end result is an individual with the confidence and skill set to conduct consultative web application penetration testing engagements.
The majority of the course will be spent performing an instructor led, hands-on web application penetration test against a target application built specifically for this class using a modern technology stack (Python Flask and React) and including real vulnerabilities as encountered in the wild. No old-school vanilla PHP stuff here folks. Students won't be given overly simplistic steps to execute independently. Rather, at each stage of the test, the instructor will present the goals that each testing task is to accomplish and perform the penetration test in front of the class while students do it on their own machine. Primary emphasis of these instructor led exercises will be placed on how to integrate the tools with manual testing procedures to improve the overall work flow. This experience will help students gain the confidence and knowledge necessary to perform web application penetration tests as an application security professional.
PWAPT is a PortSwigger preferred Burp Suite Training course. PWAPT students will learn basic and advanced usage techniques for Burp Suite Pro, as well as discover obscure functionality hidden within the vast capabilities of the tool. Students will also receive a ~2 week trial license for Burp Suite Pro to use during and after the course.
For additional insight into the origin, mission, and benefits of PWAPT, listen to my interview with Timothy De Block for the Exploring Information Security podcast on the topic of "What is Practical Web Application Penetration Testing?"
Note: The Conference Edition is an abbreviated version of the course designed to fit into the typical 2-day conference schedule. While not all content can be covered during the Conference Edition courses, all of the content will be provided for self-study.
Students taking this course should have introductory knowledge of the OWASP Top 10. Students do not need to be comfortable with with explaining, finding, or exploiting common web vulnerabilities, but some level of exposure is ideal. This is not an advanced course. However, we will strive to cover advanced topics if the ability level of the student population allows.
This course contains code remediation content that includes discussions on the proper techniques for mitigating vulnerabilities, and exercises where the instructor and students modify the application's source code to implement mitigating controls and test them for effectiveness. While not required, a basic understanding of programming concepts will allow students to better relate to the terminology and techniques demonstrated for properly remediating the discussed vulnerabilities.
@LaNMaSteR53 great PWAPT class. It was awesome getting to learn hands on— Bruce J. Adams Jr. (@brucejadamsjr) September 24, 2016
@LaNMaSteR53 Great investment of time and money: Tim Tomes' PWAPT class. A must for any web app pen tester. I found it highly beneficial.— Sunny Wear (@SunnyWear) May 29, 2016
Go to this, even if you gotta fly. That's what I did. Totally worth it. https://t.co/C1Gi10XvDb— 7 Minute Security (@7MinSec) February 17, 2016
@LaNMaSteR53 Great class! I loved the hands on nature of it instead of just slides and theory as you get with some other classes.— Kevin Lasher (@KevLasher) January 11, 2016
Really enjoyed @LaNMaSteR53's PWAPT training at DerbyCon 6.0. Learned a great deal from the class. Thanks Tim!— hazmat (@lotusr00t) September 22, 2016
@LaNMaSteR53 Thanks again for the PWAPT training, you've bridged the gap between what I learned on my own and what I needed to learn next— 67Shepp (@Shepp67) July 27, 2016
If you build software for a living, check out @LaNMaSteR53 and find a way to attend his training.— James Baxley III (@jbaxleyiii) May 18, 2016
I was looking for an affordable, 100% hands-on Webapp pentest course that would teach me a start-to-finish methodology.#PWAPT was all that!— 7 Minute Security (@7MinSec) January 10, 2016
@lanmaster53 It was definitely fun and informative! Thank you for taking the time and effort to put it together and teach it.— Kevin Ahrens (@kahrens) November 7, 2015
@lanmaster53, Thank you again for an awesome class (PWAPT). I paid for it with my own money --ie not my company -- and it was worth it!— Nancy Snoke (@NancySnoke) September 30, 2015
Wooo, epic nose bleed! Thats all the training from @lanmaster53 being stored in my head, forcing the blood out to make room :)— Steve Loughran (@z0rlac) September 25, 2015