Security Laboratory

Security Laboratory

Security Laboratory: Which SANS course should I take?

If you are new to computer, network or information security, the SANS Institute offers a number of introductory courses to get you on your way. But not every course is right for you and this series of essays is intended to help you make course selections to best fit your needs.

Other Related Articles in Security Laboratory: Which SANS course should I take?

Security 503: Intrusion Detection and the Software Security courses are my favorites, here is why

Johannes Ullrich

I am frequently asked by friends to suggest a SANS course. Usually the questions are, "What is the best course?... Who is the best instructor at SANS?" Well, these aren't exactly the right questions. All of our courses are great, all of our instructors know a lot about what they teach. But not every course is right for you.

If you are new to network security, SANS offers a number of introductory courses to get you going. Please remember that these courses are an introduction to network security and not an introduction to using a computer. You should already have some understanding of operating systems and networks. Which introductory course is right for you depends on your job. One of our most popular courses is SEC401: SANS Security Essentials. This course teaches you everything you need to know about network security. Well, not exactly. But it's about as close as you can get to that goal in 6 days. The class includes some challenging evening hands-on sessions. It's a lot of work! Now, if you are less hands-on and looking more for a manager's perspective, consider MGT512: SANS Security Leadership Essentials for Managers.

Once you've got the introductory course under your belt, it's time to move on to the next level. We offer a number of more specialized and advanced courses. Consider what you spend most of your time with; for instance, if it is administering Windows, then SEC505: Securing Windows is your course. Or, if Unix is what you do most, we have got SEC506: Securing Unix/Linux for you. The list goes on with a number of additional 5XX and 6XX level courses:

  • SEC503: Intrusion Detection in-Depth is one of my personal favorites. It's probably the most detailed and up to date course about TCP/IP offered anywhere. It's not just about adjusting the knobs of an IDS, but the course is very much about understanding TCP/IP
  • SEC502: Perimeter Protection in-Depth is a companion course to SEC503 (Intrusion Detection) that covers a lot about network architecture, VPNs and how to control traffic inside your network
  • SEC617: Assessing and Securing Wireless Networks is another amazing course. As a special bonus, you will get a "SWAT" kit complete with GPS, wireless network card and antenna to take back home with you.
SANS has recently added a new focus on software security. With this comes a whole set of great courses. If systems aren't "your thing" and you spend most of your time writing software, designing software, auditing software or managing software development, take a look at these new courses. Many of them are only 1 or 2 day courses, a nice introduction to SANS if you are afraid that your head might explode after 6 days of intense learning. *smile*

One class that stands out in the new software security group is the Web Application Security Workshop. It's a unique approach to software security in that it does not focus on a particular programming language. You may be using Java, PHP or .Net, but the basic issues with web applications are the same. You need to understand user input validation, you need to know how sessions work, and you very much need to know that "SSL" doesn't make a "secure website". This course works well for coders, auditors and project managers (but it is still hands-on and technical). An amazing course if you need to know more about web security. As an add-on to this course, you can use SEC538: Introduction to Pen Testing Web Applications. This course will show you more tricks about how to audit a web based application. It is very useful if you need to convince someone why a particular problem is so dangerous! Are you moving to AJAX and Web 2.0? We have a class for you ... SEC426: Ajax and Web Services Security Overview!

This covers only a small cross-section of all the classes we have to offer. Actually, some of the other classes I just don't know well enough to talk about. But I do hear great comments about the forensics class (SEC508); and, the wireless security class (SEC617) is probably our best hidden gem, in particular since it comes with a set of cool toys for you to take home.

In closing, remember that all SANS classes are "technical". You won't find a lot of empty talk. There is a joke that in each SANS class you have to decode at least one IP packet in hex. This may not be quite true, but it certainly tells you that you will have a lot of fun and bring home a great bag of tricks. You will use your own laptop in hands-on exercises for a reason: it's the only way to make sure that it will work once you get home. And I would hate to teach you some magic trick that you couldn't show off to your coworkers or boss the day you get home!