Cyber security is a serious challenge today as attackers specifically target web application vulnerabilities. This seminar is an introduction to application security threats, demonstrating the security problems that exist in the corporate systems with a strong emphasis on application security and secure design. During this seminar we cover the major security vulnerabilities including the OWASP top 10 vulnerabilities, and secure-design & coding best practices when designing and developing web applications & server based services.

Goals

This seminar main objective is:

  • raising the awareness on the problems that might occur without secure coding practices.
  • teach your important role in the corporate effort to secure its systems, while utilizing information security best practices.
  • to learn about the threat landscape and the controls you should use during the software development lifecycle.

Results

In this course you will learn how to:

  • understand the concepts and terminology behind defensive, secure, coding.
  • appreciate the magnitude of the problems associated with web application security and the potential risks associated with those problems.
  • understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections.
  • understand the vulnerabilities of associated with authentication and authorization.
  • understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure.

Target audience

All members of the development team:

  • Developers
  • Application security analysts
  • Team leaders
  • Testers / QA
  • Designers & architects
  • Managers

Before attending this course, you should be familiar with:

  • basic knowledge of information systems
  • background knowledge in networking, the internet and the www
  • development background with internet applications, using at least one of those languages: .NET, Java, PHP, AP, C/C++.

Programme

1. Application Security - What is the problem?

  • Web Application Security Problem
  • Application Security Myths
  • State-of-Practice in Secure Software Development

2. Application Level Attacks - Learning the Attacker's Techniques

  • HTTP fundamentals
  • OWASP top 10 web application risks
  • Broken Authentication and Session Management
  • Broken Authorization Schema
  • Injections (e.g. SQL injection, command injection, etc.)
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Denial of Service (DoS)
  • Browser Manipulation Attacks
  • Unvalidated Redirects and Forwards
  • Information Leakage
  • Business Logic Attacks
  • Upload File Backdoors
  • Insecure Cryptographic Storage
  • SSL & Digital Signatures
  • Events Logging

3. Security countermeasures and best practices

  • Authentication best practices
  • Brute Force Countermeasures
  • Account lockout vs CATPCHA
  • Securing passwords
  • Authorization best practices
  • SQL injection countermeasures
  • Output encoding & input validation techniques
  • Cross Site Request Forgery (CSRF) countermeasures
  • Replay attacks countermeasures
  • File upload/download countermeasures
  • Security logging - what to log and what not to log

4. Take-away

  • 'Build in' Software Assurance
  • Software Assurance Quick Start

All chapters include: hands-on demonstrations and interactive questions.

Trainer(s)

cr-01839274

Sebastien Deleersnyder

Toreon provides the experienced trainer Sebastien Deleersnyder to share his practical application security experience. Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.

Practical information

Price: 749 EUR (excl VAT)

Kluwer trainings qualify for several grants. A practical instrument enabling you to pay only part of the registration fee

  • Training subsidised by kmo-portefeuille. Read more information.

In-company: If you have a number of people in your company who need this type of training, Kluwer will be happy to develop an in-house training course for you, customised to suit your particular situation. Our experienced trainers will tailor the course to fulfill the needs and abilities of your staff. Request your in company training.

Enroll