Agenda

(OWASP) Top 10 - Secure Coding Fundamentals

Registration

Dates

  • From 12 June 2021 to 13 June 2021
  • From 24 June 2021 to 25 June 2021
  • From 10 July 2021 to 17 July 2021
  • From 29 July 2021 to 30 July 2021
  • From 08 August 2021 to 15 August 2021
  • From 26 August 2021 to 27 August 2021
  • From 11 September 2021 to 12 September 2021
  • From 23 September 2021 to 24 September 2021
  • From 09 October 2021 to 16 October 2021
  • From 28 October 2021 to 29 October 2021

Owasp Top 10, Secure Coding Fundamentals 

Writing web applications can be rather complex – reasons range from dealing with legacy technologies or underdocumented third-party components to sharp deadlines and code maintainability. Yet, beyond all that, what if we told you that attackers were trying to break into your code right now? How likely would they be to succeed?

This 2-day course will change the way you look at your code. We'll teach you the common weaknesses and their consequences that can allow hackers to attack your system, and – more importantly – best practices you can apply to protect yourself. We cover typical Web vulnerabilities with a focus on how they affect web apps on the entire stack – from the base environment to modern AJAX and HTML5- based frontends. In addition, we discuss the security aspects of different platforms as well as typical programming mistakes you need to be aware of. We present the entire course through live practical exercises to keep it engaging and fun.

Writing secure code will give you a distinct edge over your competitors. It is your choice to be ahead of the pack – take a step and be a game-changer in the fight against cybercrime.

Participants attending this course will 

Understand basic concepts of security, IT security and secure coding
Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn about XML security
Learn client-side vulnerabilities and secure coding practices
Learn about typical coding mistakes and how to avoid them
Get information about some recent vulnerabilities in different frameworks
Get sources and further readings on secure coding practices

Audience 

Web Developers 

Related courses 

Java and Web application security master course (Onsite / Virtual classroom, 5 days)

C# and Web application security master course (Onsite / Virtual classroom, 5 days)

Web application security (Onsite / Virtual classroom, 3 days)

Web application security testing (Onsite / Virtual classroom, 3 days)

OWASP TOP 10, Java secure coding follow up (Onsite / Virtual, 1 day)

OWASP TOP 10, C# secure coding follow up (Onsite / Virtual, 1 day)

Prerequisites

General Web Development 

Outline 

Day 1 

IT security and secure coding

Nature of security

What is risk?

IT security vs. secure coding

From vulnerabilities to botnets and cybercrime

  Natureofsecurityflaws

  From an infected computer to targeted attacks

  TheSevenPerniciousKingdoms

  OWASP Top Ten 2017 

Web application security

Injection

   Injection principles

   SQLinjection

     Exercise–SQL injection

     Typical SQL Injection attack methods

     Blind and time-based SQL injection

     SQL injection protection methods

     Effect of data storage frameworks on SQL injection

   Other injection flaws

     Command injection

     Case study – ImageMagick

  HTTP parameter pollution

     Cookie injection/HTTP parameter pollution 

     Exercise–Valueshadowing

  Broken authentication

     Sessionhandlingthreats

     Sessionhandlingbestpractices

     Session handling examples in different languages

     Setting cookie attributes - best practices

  Cross site request forgery (CSRF) 

     CSRF prevention

     CSRF prevention examples 

  XML external entity (XXE)

     XML Entity introduction

     XML external entity attack (XXE)–resource inclusion

     XML external entity attack – URL invocation

     XML external entity attack – parameter entities 

     Exercise – XXE attack

     Preventingentity-related attacks

     Case study – XXE in Google Toolbar

  Broken access control
     Typical access control weaknesses

     Insecure direct object reference (IDOR)

     Exercise – Insecure direct object reference

     Protection against IDOR

     Case study – Facebook Notes

  Cross-Site Scripting (XSS)

     Persistent XSS

     Reflected XSS

     DOM-based XSS

     Exercise–CrossSite Scripting

     XSS prevention

     XSS prevention tools

  HTML5 security

     New XSS possibilities in HTML5

     HTML5 clickjacking attack – text field injection

     HTML5clickjacking – content extraction

     Form tampering

     Exercise – Form tampering

      Cross-origin requests

     HTML proxy with cross-origin request 

     Exercise–Client-side include

  Insecure deserialization

     Serializationanddeserializationbasics

     Security challenges of deserialization

     Deserializationexamples

     Denial-of-serviceviadeserialization

     From deserialization to code execution

     POP payload targeting

     Real-world deserialization vulnerabilities

     Issues with alternative object deserialization methods

     Secure deserialization with FST

     Secure deserialization with Kryo

     Issues with deserialization – JSON

     Best practices against deserialization vulnerabilities

     Case study – XML deserialization in Apache Struts leading to RCE 

       CVE-2017-9805–ApacheStrutsRCEwhendeserializingXML
       ExampleXMLtriggeringtheRCE

  Using components with known vulnerabilities
     Vulnerability attributes
     CommonVulnerability Scoring System – CVSS

  Insufficient logging and monitoring
     Detection and response
     Logging and log analysis
     Intrusion detection systems and Web application firewalls

Day 2

Common coding errors and vulnerabilities

  Input validation

     Input validation concepts

     Integer problems

       Representation of negative integers

       Integer overflow

       Exercise IntOverflow

       What is the value of Math.abs(Integer.MIN_VALUE)?

       Integer problem–best practices

     Path traversal vulnerability

       Path traversal – weak protections 

       Path traversal–best practices

     Unvalidated redirects and forwards

     Log forging

       Some other typical problems with log files? 

  Improper use of security features

     Typical problems related to the use of security features

       Password management

         Exercise – Weakness of hashed passwords

         Password management and storage

         Special purpose hash algorithms for password storage

         Argon2 and PBKDF2 implementations in Java

         bcrypt and scrypt implementations in Java

         Case study – the Ashley Madison data breach

         Typical mistakes in password management

         Exercise – Hard coded passwords

  Accessibility modifiers 

     Accessing private fields with reflection in Java

     Exercise Reflection – Accessing private fields with reflection

  Exercise Scademy Pay– Integrity protection weakness

  Improper error and exception handling

     Typical problems with error and exception handling

       Emptycatchblock

       Overly broad throws

       Overly broad catch

       Usingmulti-catch

       Returning from finally block – spot the bug!

       CatchingExceptions

       Exception handling – spot the bug!

       Exercise ScademyPay – Error handling

  Time and state problems

     Concurrency and threading

     Concurrency examples

     Omitted synchronization–spot the bug!? 

     Exercise – Omitted synchronization

     Incorrect granularity– spot the bug!

     Exercise–Incorrect granularity

     Deadlocks     

     Avoiding deadlocks

     Exercise–Avoidingdeadlocks

     Lock statement

  Code quality problems

     Dangers arising from poor code quality

     Poor code quality – spot the bug!

     Unreleased resources

     Serialization–spot the bug!

     Exercise–Serializablesensitive

     Privatearrays–spot the bug!

     Private arrays – typed field returned from a public method

     Exercise-Object hijacking

     Public method without final –object hijacking

     ImmutableString–spot the bug!

     Exercise Immutable Strings

     Immutability and security

Principles of security and secure coding

Matt Bishop’s principles of robust programming 

The security principles of Saltzer and Schroeder

Knowledge sources

Secure coding sources – a starter kit

Vulnerability databases

Java secure coding sources

.NET secure coding guidelines at MSDN

.NET secure coding cheat sheets

Recommended books – .NET and ASP.NET 

Recommended books – Java

Inscription

  • Price1380.00 €
  • Limit date of registration31 December 2021
  • LocationRemote
  • Minimum enrollment2 participants
  • TermsGeneral conditions of sales

 

Back Registration