Overview
This immersive training seminar is focused on providing web developers training in web application security. Participants learn to build secure web applications, incorporating essential security elements into the applications, from the development to deployment stage and beyond. Participants are equipped with basic programming skills and knowledge of integrating security into the entire software development cycle for web applications.
What You'll Learn
- Recognize potential as well as real security vulnerabilities and employ defense measures to overcome them
- Learn the most common security vulnerabilities encountered in web applications today
- Examine security vulnerabilities from a coding perspective
- Describe the threat and attack mechanisms
- Design, implement, and test effective defenses
Curriculum
- Assumptions we make
- Security: The complete picture
- Anthem, Sony, target, heartland, and TJX debriefs
- Verizon’s 2017 data breach report
- Attack patterns and recommendations
- Motivations: Costs and standards
- Open web application security project
- Web application security consortium
- CERT secure coding standards
- Microsoft SDL
- Assets and trust boundaries
- Threat modeling
- Potential demonstration: Asset analysis
- Security is a lifecycle issue
- Minimize attack surface area
- Layers of defense: Tenacious D
- Compartmentalize
- Consider all application states
- Do not trust the untrusted
- Buffer overflows
- Integer arithmetic vulnerabilities
- Unvalidated input: From the web
- Defending trust boundaries
- Whitelisting vs blacklisting
- Potential demonstration: defending trust boundaries
- Access control issues
- Excessive privileges
- Insufficient flow control
- Unprotected URL/resource access
- Examples of shabby access control
- Sessions and session management
- Broken quality/DoS
- Authentication data
- Username/password protection
- Exploits magnify importance
- Handling passwords on server side
- Single sign-on (SSO)
- Potential demonstration: Defending authentication
- XSS patterns
- Persistent XSS
- Reflective XSS
- Best practices for untrusted data
- Potential demonstration: Defending against XSS
- Injection flaws
- SQL injection attacks evolve
- Drill down on stored procedures
- Other forms of injection
- Minimizing injection flaws
- Potential demonstration: Defending against SQL injection
- Injection flaws
- SQL injection attacks evolve
- Drill down on stored procedures
- Other forms of injection
- Minimizing injection flaws
- Potential demonstration: Defending against SQL injection
Who should attend
Anyone interested in the paradigm shifts necessary to enable organizational agility in today’s innovative business climate will find the Business Agility Foundations course compelling. The course is highly recommended for –
- Current and aspiring business agility leaders
- Business change agents
- Business leaders
- Business managers
- Value managers
- Product owners
- Product managers
- Anyone wanting a certification in ICAgile Business Agility Foundation (ICP-BAF)
- Anyone wanting to be an ICAgile Certified Expert in Business Agility
Prerequisites
There are no mandatory prerequisites for this course, however, completing the Foundations of Agile course prior to taking up this course would be beneficial.
