Building Secure Web Applications based on OWASP (.NET or Java)
(SECOWASP, Live Instructor-Led Training, 3 days)


Description

The ability to build secure code which is resistant to hacker attacks is a key skill for the modern programmer. As applications become a more an more important part of our professional lives, their security vulnerabilities become more and more of a liability. This SETC certified course on creating secure applications takes programmers on a complete tour of the various security concerns in a modern web application. The discussion includes encryption and message digests, code access security, authentication, session management, atuhorization and role based security. The course concludes with a detailed study of symmetric and asymmetric encryption techniques as well as common hacks and security vulnerabilities.

Dates and Pricing


Jan 17 to Jan 19, 2018$1,675/person Feb 14 to Feb 16, 2018$1,675/person Mar 14 to Mar 16, 2018$1,675/person

Outline

Introduction and Overview
What are Web Applications and Web Services?
About the Underlying Technology of Applications and Services
A Few Important Definitions: Risk, Threats and Vulnerabilities
An Overview of Risk Assessment and Management Techniques
About Measuring the Risk
About Dealing with Risk
Security Guidelines
Input and Output Validation
About Secure Failure
The Need for Simplicity
Reusing Trusted Components
About Predictive Defence
The Weakest Link Principle
Obscuring Components doesn’t make them Secure
About Least Privilege
About Compartmentalization
About the Architecture: Operating System, Infrastructure and Application
Security Architecture of .NET or Java
Authentication
Types of Authentication
Overview of Browser Limitations
Certificate Basics: Public Keys, Private Keys and Certificates
Exploring Authentication Types: Basic, Digest, Forms and Certificate Based
Using Cookies for Entity Authentication
Using DNS for Infrastructure Authentication
About Password Based Authentication Systems
Implementing Authentication in .NET or Java
Managing User Sessions
All you ever wanted to know about Cookies: Persistence, Security and Usage
All you ever wanted to know about the Session Token
Session Management: Using a Session Timeout
Session Management: Regeneration of Session Token
Session Management: Session Forging or Lockout
Session Management: Re-authentication
Session Management: Session Token Transmission
Session Management: Page Tokens
Session Management: Session Tokens on Logout
Using SSL: The SSL Handshake in Detail
Session Management in .NET or Java
Access Control
Discretionary Access Control
Mandatory Access Control
Role Based Access Control
Access Control in .NET or Java
Event Logging
The Importance of Logging Events
About Event Management
Logging Events in .NET or Java
Data Validation
The Architecture of Data Validation
Why Client Validation should not be relied upon
Validation Techniques: Accept Only Known Valid Data
Validation Techniques: Reject Known Bad Data
Validation Techniques: Sanitize all Data
Overview of Business Tier Validation Techniques in .NET or Java
Overview of Data Tier Validation Techniques in .NET or Java
Implementing a Complete Validation Solution based on Enterprise Technologies
Preventing Common Problems
About the Meta Character Problem
About Cross-Site Scripting: Description and Mitigation
Direct SQL Command: Description and Mitigation
Direct OS Command: Description and Mitigation
Path Traversal and Path Disclosure: Description and Mitigation
NULL Bytes: Description and Mitigation
Canonicalization Attacks: Description and Mitigation
URL Encoding: Description and Mitigation
Cookie Manipulation: Description and Mitigation
HTTP Header Manipulation: Description and Mitigation
HTML Form Field Manipulation: Description and Mitigation
URL Manipulation: Description and Mitigation
Other Problems
HTML Comments
Vendor Patches
System Configuration
Unused Files
Debug Commands
Default Accounts
The Need for Privacy
About Web Browsers and Personal Data
About Shared Web Browsers
Protecting Personal Data
Enhanced Browser Privacy
About Browser History and Related Settings
About Cryptography
Symmetric versus Asymmetric Cryptography
Public Keys, Private Keys and Certificates
About SSL
About Digital Signatures and Hash Values
Implementing a Complete Cryptographic Solution with .NET or Java