Course Overview
A 2-day training course designed to teach developers and pen testers how web application security is broken, exploited and leveraged to gain access to data and infrastructure. One of the most topical areas of security is code development and the SDLC – this is where flaws are created and begin.
About
- Covers latest industry standards such as OWASP Top 10
- Insight into latest security vulnerabilities (such as mass assignment bug in MVC Frameworks)
- Thorough guidance on security best practices (like HTTP header such as CSP, HSTS header etc.)
- References to real world analogy for each vulnerability
- Hands-on labs
Quem deve participar
- Software/Web developers
- PL/SQL developers
- Penetration Testers
- Security Auditors
- Administrators and DBAs
- Security Managers
Pré- requisitos
Students should bring their own laptop with Windows Operating System installed (either natively or running in a VM). Further, students must have administrative access to perform tasks like install software, disable antivirus etc. Devices which don’t have an Ethernet connection (e.g. MacBook Air, tablets etc.) are not supported. A prior knowledge of development in a language will be an added advantage but it’s not a strict requirement.
Conteúdo do curso
Application Security for Web Developers: A 2-day highly-practical course that targets web developers, security auditors, penetration testers, security managers and anyone else who would like to learn about writing secure code or to audit code against security flaws. The course covers each and every vulnerability in-depth and discusses a variety of the best security practices and defence in-depth approach which developers should keep in mind while developing applications.
The attendees will be provided access to infrastructure on which they will be practicing to identify vulnerable code and subsequently discuss patching approaches. While the course covers industry standards such as OWASP Top 10 and SANS top 25 security issues, it also talks about real world issues which don’t find a mention in these lists. The course does not focus on any particular web development language or technology but focuses on the principles. It includes examples from PHP, .NET, classic ASP and Java.
Pen testing as an activity tends to capture security vulnerabilities as the end of the SDLC and is often too late to be able to influence fundamental changes in the way code is written. NotSoSecure wrote this course because of the need for developers to develop code and applications in a secure manner. It does not need to be more time consuming, but it is critical to introduce security as quality component into the development cycle.
The course does not target any particular web development platform but targets the general insecure coding flaws which developers make while developing applications. The examples used in the course include web development technologies such as ASP, .NET, JAVA and PHP.