Application Security for Web Developers
This two day hands-on course targets web developers, security auditors, penetration testers, security managers, and anyone else who wants to learn to write secure code or to audit code against security flaws.
The course covers each and every vulnerability in depth, and talks about a variety of best security practices, alongside a defence-in-depth approach which developers should keep in mind while developing applications. All the attendees will be provided access to infrastructure on which they will be practising to identify vulnerable code and subsequently discuss patching approaches.
While the course covers industry standards such as the OWASP Top 10 and the SANS top 25, it also talks about real world issues which do not find a mention in these lists. The course does not focus on any particular web development language or technology, instead focusing on the principles. Although it will include examples from PHP, .NET, classic ASP and Java.
Course Outline Summary:
Introduction to Web Applications
- Design Flaws
- Session Management
- Logical Flaws
- Web Server Misconfiguration
- Application Server Misconfiguration
- HTTP Methods
- SSL and MITM attacks
Cross Site Issues
- Cross Site Scripting
- Cross Site Request Forgery
- Session Fixation
- CRLF Injection
- JSON Hijacking
- Flash and Cross Domain Issues
Server Side Issues
- SQL Injection
- File Uploads
- Server Side Includes
- File Inclusion
- Direct Object Reference
- OS Code Execution
What Technologies Are Covered
The course does not target any particular web development platform but rather targets those general insecure coding flaws which developers can make while developing applications. The examples used in the course will include web development technologies such as ASP, .NET, JAVA and PHP.
Who Should Attend
- Software/Web developers
- PL/SQL developers
- Penetration Testers
- Security Auditors
- Administrators and DBAs
- Security Managers
What Attendees Will Be Provided
- Student hand-outs
- Tools/Scripts (some public and some not so public)
- Morning Tea, Lunch and Afternoon Tea
What Attendees Should Bring
Students should bring their own laptop with Windows installed (either natively, or running in a VM). Further, students must have administrative access to perform tasks like install software, disable antivirus, and so on. Devices which don't have an ethernet connection (e.g. Macbook Air, tablets, and so on) are not supported. A prior knowledge of development in a language will be an added advantage, but is not a strict requirement.
About Your Trainer
Sumit "Sid" Siddharth is the founder of NotSoSecure Ltd, a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in UK. He has more than 9 years of experience in Penetration Testing. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including numerous Black Hat, DEF CON, OWASP Appsec, HITB etc.
Over the years, Sid has identified several critical flaws in leading software and helped fix these bugs. These include products from Microsoft, Oracle, Intel, Wordpress etc. He has trained several security consultants/penetration testers and helped them get better at their jobs. Sid also holds both CREST certifications (Application and Infrastructure), is a co-author of the book SQL Injection: Attacks and Defence (2nd edition) and runs the popular IT security blog: http://www.notsosecure.com
Dates and Costs
The course offers two days of training, and is currently scheduled for the 9th and 10th of February 2015 in Auckland.
One public course will be offered in Auckland with the potential for a Wellington course based on demand. There are limited seats for the course, at the following rates;
- 1st December to 15th December - early bird (NZ$1200+GST)
- 16th December to 15th January - regular NZ$1400+GST)
- 16th January to 7th February - late (NZ$1500+GST)
Private (in-house) courses will be offered upon request, with numbers and costs to be confirmed.
To book a place in this course or to enquire about a private in-house course, please email firstname.lastname@example.org