Web services have been a cornerstone in the architecture of enterprise and startup solutions for many years. However, testing the security of web services is still considered a daunting and obscure task for many penetration testers. On the other side of the coin, full knowledge of how to properly secure web services is sporadic in the development community. In this two-hour session the instructor aims to to fill this knowledge gap by first defining and explaining web services and then walking through best practices for both testing and securing them. By the end of the session students should have a good understanding of the difference between SOAP-based and RESTful web services. Students will also understand common attack vectors, which testing tools to use, and best practices for securing web services against these attacks.
Jason Gillam is a Principal Security Consultant with Secure Ideas. He has over 15 years of industry experience in enterprise software solutions, system architecture, and application security. Jason has spent most of his career in technical leadership roles ranging from startups to fortune 100 companies and has learned the business acumen necessary to advise everyone from developers to senior executives on security and architecture.
Jason co-built and managed an award-winning ethical hacking program at one of the world's largest financial institutions. He also provided numerous application security training and awareness briefings to a large internal technical audience and led the development of best practices code and documentation for the the same. Jason is especially passionate about integration of security best practices with the SDLC.
Jason holds his GIAC Web-Application Tester certification. He has spoken at several events including the Charlotte-Metro ISSA Summit, multiple BSides events, Hackfest (Canada), and the UNC Charlotte Cyber Symposium. He is also the author of several Burp extensions including CO2 and correlator, and an active contributor to other open-source projects including MobiSec, SamuraiWTF, and Laudanum.