AppSec for Developers

In this 2-Day Intermediate hands-on course delegates will gain an understanding of application security vulnerabilities including the industry standard OWASP Top 10 list and learn strategies to defend against them. Pen testing (security testing) as an activity tends to capture security vulnerabilities at the end of the SDLC and then it is often too late to influence fundamental changes in the way the code is written.

Retail Price: $1,750.00

Next Date: Request Date

Course Days: 2


Request a Date

Request Custom Course


Course Overview

As it is critical to introduce security as a quality component into the development cycle, this course has been written by developers turned Pen Testers who can help you to code in a secure manner.

Pen testing as an activity tends to capture security vulnerabilities at the end of the SDLC and it is then often too late to influence fundamental changes in the way the code is written.

The class is a highly practical and we cover a variety of best security practices and in-depth defense approaches which you should be aware of while developing applications. The class also covers quick techniques which you can use to identify various security issues throughout the code review process.

 

Who Should Take This Class?

This course is ideal for Web/API developers who work day-in-day out building full-stack web applications or web APIs. Anyone who is looking to develop a skill-set into web application security and is looking to identify web application flaws will also benefit from this course.

Delegate Requirements

Delegates need to have a basic understanding of how web applications work with an added advantage for those who currently develop web applications. This training is a programming language agnostic.


Details of the course content:

APPLICATION SECURITY BASICS

  • Why do we need Application Security?
  • Understanding OWASP TOP 10

UNDERSTANDING THE HTTP PROTOCOL

  • Understanding HTTP/HTTPS protocol
  • Understanding Requests and Responses – Attack Surface
  • Configure Burpsuite to intercept HTTP/HTTPS traffic

SECURITY MISCONFIGURATIONS

  • Common misconfigurations in Web Applications
  • Sensitive Information exposure and how to avoid it
  • Using Softwares with known vulnerabilities

INSUFFICIENT LOGGING AND MONITORING

  • Types of Logging
  • Introduction to F-ELK

AUTHENTICATION FLAWS

  • Understanding Anti-Automation Techniques
  • NoSQL Security

AUTHORIZATION BYPASS TECHNIQUES

  • Securing JWT and OAuth
  • Local file Inclusion
  • Mass Assignment Vulnerability

CROSS-SITE SCRIPTING (XSS)

  • Types of XSS
  • Mitigating XSS

CROSS-SITE REQUEST FORGERY SCRIPTING

  • Understanding CSRF
  • Mitigating CSRF

SERVER-SIDE REQUEST FORGERY (SSRF)

  • Understanding SSRF
  • Mitigating SSRF

SQL INJECTION

  • Error and Blind SQL Injections
  • Mitigating SQL Injection
  • ORM Framework: HQL Injection

XAML EXTERNAL ENTITY (XXE) ATTACKS

  • Default XML Processors == XXE
  • Mitigating XXE

UNRESTRICTED FILE UPLOADS

  • Common Pitfalls around file upload
  • Mitigating File upload vulnerability

DESERIALIZATION VULNERABILITIES

  • What is Serialization?
  • Identifying Deserialization functions and deserialized data
  • Mitigation strategies for deserialization

CLIENT-SIDE SECURITY CONCERNS

  • Understanding Same Origin Policy
  • Windows Desktop ‘Breakout’ and AppLocker Bypass Techniques (Win 10)
  • Client-Side Security headers and their server configurations

SOURCE CODE REVIEW

  • What to check for Security in source code
  • CTF: A timed game to spot the flaws in the given Source Code samples

DEVSECOPS

  • DevSecOps – What Why and How?
  • Case Study


Sorry! It looks like we haven’t updated our dates for the class you selected yet. There’s a quick way to find out. Contact us at 502.265.3057 or email info@training4it.com


Request a Date