There are no specific requirements needed to attend this course.
The course gives an overview of the applicable security solutions in web applications, with a special focus on understanding the most important cryptographic solutions to be applied. The various web application vulnerabilities are presented both on the server side (following the OWASP Top Ten) and the client side, demonstrated through the relevant attacks, and followed by the recommended coding techniques and mitigation methods to avoid the associated problems. The subject of secure coding is wrapped up by discussing some typical security-relevant programming mistakes in the domain of input validation, improper use of security features and code quality.
By the end of this training, participants will be able to:
- Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
- Learn client-side vulnerabilities and secure coding practices
- Have a practical understanding of cryptography
- Be informed about recent vulnerabilities in various platforms, frameworks and libraries
Audience
- Developers
Format of the course
- Part lecture, part discussion, exercises and heavy hands-on practice
Day 1
- What is a web application?
- Security vs. Insecurity or the need for Security
- HTTP Basics
- Cookies
- Web Architecture
- Interception Proxy
- Hands On
- OWASP Top 10 2010 For Secure Development Hands-On
- Injection
- Cross Site Scripting
- Broken Authentication and Session Management
- Insecure Direct Object Reference
- Cross Site Request Forgery
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Un-validated Redirects and Forwards
Day 2
- Authentication and Authorization
- Hands On
- Secure Authentication and Authorization in C# Framework
- Session Management
- Hands On
- C#.NET Session Storage – Cookies vs. Database
- Data Validation
- Hands On
- Data Validation in .NET Model
- Default Type Validators
- Custom Validators
- ActiveRecord Validation Hooks
- Interpreter Injection
- Hands On
- Input Validation and Output Encoding in .NET Framework
- ActiveRecord ORM
- Secure Custom Queries with ActiveRecord
- Canonicalization, Locale and Unicode
- Hands On
- Internationalization
- Error Handling, Auditing and Logging
- Hands On
- Logger
- Standard Logging
- Unified Logging
- Security Concerns in Logging
- File System in detail
- Hands On
Day 3
- Cryptography
- OpenSSL Library
- Secure Random Number Generator
- Example of salted hashing
- Application Data Management using ActiveAdmin
- Web Server Basics
- Infrastructure Security for Secure Development
- Secure Deployment of Application
- Handling File Uploads
- File Upload Managers
Day 4
- Securing File Upload
- Database Security Basics
- Basics of Cryptography for the Web and basics of TLS/SSL
- Secure Hashing
- HMAC for Integrity Verification
- Hashing and Salting and Newer better ways to store sensitive data
- Security Response Headers
- CSP
Day 5
- Need for Web Security
- Basics of TCP/IP
- Basics of Hyper Text Transfer Protocol (HTTP)
- Hands-On with Command Line Web Client
- More about the text based protocols
- Hands-On Session Management
- Basics of TLS/SSL
- Hands-On TLS/SSL with Command Line Web Client
- Data View of Web Apps
- Getting Started with Interception Proxy
- Hands-On Setting up Interception Proxy
- Hands-On with Capturing Requests and Responses in the proxy
- User input in detail
- Hands-On user input requests
- Security Testing Basics ‘
Day 6
- OWASP Top 10 Risks faced by applications
- Hands-On OWASP Top 10
Day 7
- Security architecture principles
- Basics of web infrastructure
- Hands-On Setting up a website
- Files and permissions (Linux)
- Hands-On for Files and permissions for Linux
- Remote File & Local File Inclusion
- Hands-On RFI and LFI
Day 8
- AJAX attack trends and common attacks
- Hands-On AJAX and XMLHTTPRequest
- Basic cryptography for the web
- Hands-On Hashing Passwords
- SSL and advanced HTTP attacks
- Hands-On
- Hands-on practical assessment