Course Code:
bappint
Duration:
14 hours
Overview:
The training is aimed at administrators and programmers working with systems in which personal data and sensitive are stored. During the training, basic attacks on Internet applications and security methods are discussed.
Course Outline:
Part 1. Introduction
Basic concepts
- Safety limit
- Source and sink metaphors
- AppSec kill chain
- Threat modeling
Part 2. Backend
Backend Overview
- Assets and Attack Vectors
- Backend Threat Model
Application boundary
- Frontline Review
- Authentication and authorization
- Session management
- Input Validation
Database boundary
- Frontline Review
- SQL injection
- NoSQL injection
Operating system boundary
- Frontline Review
- Memory security
- Command injection
- Path traversal
- The pros and cons of uploading files
- XML external entity reference
- Deserialize
Part 3. Frontend
Frontend Overview
- The Tragedy of Cookies
- Single Origin Policy
- JavaScript
- Frontend Threat Model
Origin boundary
- Frontline Review
- Cross site scripting
- Cross-site request forgery
- Cross site leaks
- Other problems
Part 4. The Big Questions
How to keep a secret?
- Secrets Management
- Sensitive data management
How to ensure code and data integrity?
- Supply Chain Attacks
- Cache poisoning
How to maintain availability?
- On the importance of keeping a diary
- Self-healing systems
- Surviving disasters
- Surviving Volume Attacks
Sites Published: