Duração:
2 dias
Próxima Data:
Consulte-nos
Local:
Descrição
In this 2-Day Intermediate hands-on course delegates will gain an understanding of application security vulnerabilities including the industry standard OWASP Top 10 list and learn strategies to defend against them.
Pen testing (security testing) as an activity tends to capture security vulnerabilities at the end of the SDLC and then it is often too late to influence fundamental changes in the way the code is written.
Web application security tends to be addressed only when vulnerabilities are found on applications running in production. Addressing these vulnerabilities at that stage becomes an expensive affair. These vulnerabilities arise primarily because developers are not sensitized against their impact and more importantly their fixing/patching.
Destinatários
This course is ideal for Web/API developers who work day-in-day out building full-stack web applications or web APIs. Anyone who is looking to develop a skill-set into web application security and is looking to identify web application flaws will also benefit from this course.
Área: Cybersecurity
Certificação Associada: N/A
*Curso disponível em Live Training
Programa:
APPLICATION SECURITY BASICS
- Why do we need Application Security?
- Understanding OWASP TOP 10
UNDERSTANDING THE HTTP PROTOCOL
- Understanding HTTP/HTTPS protocol
- Understanding Requests and Responses – Attack Surface
- Configure Burpsuite to intercept HTTP/HTTPS traffic
SECURITY MISCONFIGURATIONS
- Common misconfigurations in Web Applications
- Sensitive Information exposure and how to avoid it
- Using Softwares with known vulnerabilities
INSUFFICIENT LOGGING AND MONITORING
- Types of Logging
- bIntroduction to F-ELK
AUTHENTICATION FLAWS
- Understanding Anti-Automation Techniques
- NoSQL Security
AUTHORIZATION BYPASS TECHNIQUES*
- Securing JWT and OAuth
- Local file Inclusion
- Mass Assignment Vulnerability
CROSS-SITE SCRIPTING (XSS)
- Types of XSS
- Mitigating XSS
CROSS-SITE REQUEST FORGERY SCRIPTING
- Understanding CSRF
- Mitigating CSRF
SERVER-SIDE REQUEST FORGERY (SSRF)
- Understanding SSRF
- Mitigating SSRF
SQL INJECTION
- Error and Blind SQL Injections
- Mitigating SQL Injection
- ORM Framework: HQL Injection
XAML EXTERNAL ENTITY (XXE) ATTACKS
- Default XML Processors == XXE
- Mitigating XXE
UNRESTRICTED FILE UPLOADS Common Pitfalls around file upload Mitigating File upload vulnerability
DESERIALIZATION VULNERABILITIES
- What is Serialization?
- Identifying Deserialization functions and deserialized data
- Mitigation strategies for deserialization
CLIENT-SIDE SECURITY CONCERNS
- Understanding Same Origin Policy
- Windows Desktop ‘Breakout’ and AppLocker Bypass Techniques (Win 10)
- Client-Side Security headers and their server configurations
SOURCE CODE REVIEW
- What to check for Security in source code
- CTF: A timed game to spot the flaws in the given Source Code samples
DEVSECOPS
- DevSecOps – What Why and How?
- Case Study
Pré-requisitos:
Delegates need to have a basic understanding of how web applications work with an added advantage for those who currently develop web applications. This training is a programming language agnostic.
A Laptop with minimum 4 GB RAM and 1 GB of extra space is also required.
Share: