Overview
This course has been designed as a series of quick and hard-hitting sessions, which sets the context and charges through each of the OWASP vulnerabilities. The course is short but intense, designed to maximize the flow of information in an effective and interactive manner. Participants will develop an understanding of the recently updated OWASP Top 10. Each session sets the framework for deep and insightful discussions and demonstrations of the application vulnerabilities that are plaguing the industry.
What You'll Learn
- Participants gain an understanding of the following:
- The mechanism by which the vulnerability is exploited.
- Prevalence of the vulnerability, including characteristics to focus on during design and code reviews to help detect potential issues
- Potential consequences of a successful exploit
- Measures to eliminate, prevent, or minimize the risk of exploited vulnerabilities
- Relative effectiveness of scanners and other tools in detecting the vulnerability being discussed
- Generic and code-specific references that can be utilized after the session
Curriculum
- Security: The complete picture
- Attack patterns
- Anthem, Dell, Target, Equifax, and Marriot debriefs
- Verizon’s 2018 data breach report
- Assumptions we make
- Recognizing assets
- Introduction to OWASP Top 10 2017
- Injection flaws
- Examples: SQL injection
- Drill down on stored procedures
- Understanding the underlying problem
- Other forms of injection
- Minimizing injection flaws
- Potential demonstration: defending against sql injection
- Weak authentication data
- Protecting authentication data
- Protecting authentication services
- Effective credential management
- Effective multi-factor authentication
- Handling passwords on server side
- Potential demonstration: defending authentication
- Protecting data can mitigate the impact of exploit
- Regulatory considerations
- Establishing an asset inventory
- At rest data handling
- In motion data handling
- In use data handling
- Potential demonstration: Defending sensitive data
- Recognizing XML processing: DIRECT, REST, SOAP, etc.
- Challenges of safe XML parsing
- Managing external entity resolution
- XLST processing challenges
- Safe XML processing
- Potential demonstration: safe XML processing
- Access control and trust boundaries
- Excessive privileges
- Insufficient flow control
- Unprotected API resource access
- JWTS, sessions and session management
- Single sign-on (SSO)
- Potential demonstration: Enforcing access control
- System hardening: IA mitigation
- Application whitelisting
- Principle of least privileges in real terms
- Secure configuration baseline
- Error-handling issues
- XSS patterns
- Stored XSS
- Reflected XSS
- DOMXSS
- Best practices for untrusted data
- Potential demonstration: Defending against XSS
- Recognizing serialization in Java, JSON.Net and elsewhere
- Deserializing hostile objects
- Safely managing deserialization
- Maintaining software inventory
- Awareness of vulnerabilities, updates, and patches
- Managing versions, updates, and patches
- Reducing software risks
- Fingerprinting a web site
- Recognizing when and what to log
- Logging in support of forensics
- Monitoring and alerting
- Responding to alerts
- Strength training: Project teams/developers
- Strength training: IT organizations
- OWASP ASVS
- Leveraging common AppSec practices and controls
- Types of security controls
- Attack phases
- Threat modelling overview
- Modeling assets, trust boundaries, and data flows
- Relating threats to model
- Mitigating threats
Who should attend
The course is highly recommended for:
- Web developers
- Software development engineers
- Application developers
- Software developers
- Full stack developers
Prerequisites
Participant must have basic programming knowledge (developers) and basic understanding of the concepts of testing (testers).