Security testing (Pen Testing) as an activity tends to capture security vulnerabilities at the end of the SDLC and is often too late to be able to influence fundamental changes in the way code is written.

We wrote this class because of the increasing need for developers to code in a secure manner. It is critical to introduce security as a quality component into the development cycle. This class aims at educating developers about various security vulnerabilities through hands-on practice using our purposely developed insecure web application which is hosted on Microsoft’s Azure platform. Throughout this class developers will be able to get on the same page with security professionals, understand their language and learn how to fix or mitigate vulnerabilities learnt during the class.

The techniques discussed in this class are mainly focused on .NET and JAVA technologies owing to their huge adoption in various enterprises in building web applications. However, the approach is generic and developers from other language backgrounds can easily grasp and implement the knowledge learnt in within their own environments.

Target Audience

  • Software/Web Developers,
  • PL/SQL Developers,
  • Penetration Testers,
  • Security Auditors,
  • Administrators
  • DBAs and Security Managers.

Download InfoGraphic

N.B. This course meets the requirements of the PCI-DSS standard, specifically the mandated requirement 6.5:

  • Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory.

Delegates will use labs which are purposely riddled with multiple vulnerabilities. Delegates will receive demonstrations and hands-on practice of the vulnerabilities to better understand and grasp the issues, followed by various techniques and recommendations on how to go about fixing them. While the course covers industry standards such as OWASP Top 10 and common security issues, it also covers real world issues like various Business Logic and Authorisation flaws.

  • Covers latest industry standards such as OWASP Top 10 with practical demonstrations of vulnerabilities complemented with Hands-on Lab practice
  • Insight into the latest security vulnerabilities (such as Host Header Injection, XML Entity Injection, Web-Services and API Security)
  • Thorough guidance on the best security practices (Introduction to various Security Frameworks and tools and techniques for Secure Development)
  • References to real-world analogy for each vulnerability (Understand and appreciate why Facebook would pay $33,000 for XML Entity Injection Vulnerability?)

A highly-practical class that targets web developers, pen testers, and anyone else wanting to write secure code, or audit code against security flaws. The class covers a variety of the best security practices and in-depth defense approaches which developers should be aware of while developing applications. The class also covers some quick techniques which developers can use to identify various security issues throughout the code review process.

Students can access our online lab which is purposely riddled with multiple vulnerabilities. Students will receive demonstrations and hands-on practice of the vulnerabilities to better understand and grasp the issues, followed by various techniques and recommendations on how to go about fixing them. While the class covers industry standards such as OWASP Top 10 and SANS top 25 security issues, it also covers real world issues like various Business Logic and Authorization flaws.

DAY 1

Application Security Basics

With the ever changing landscape of applications and emerging threats we talk here about the need of Application Security for securing applications,Industry standard such OWASP TOP 10,Real life examples and concerns in application security

Understanding the HTTP Protocol

Here we'll learn the basics of HTTP protocol,HTTP Attack Surface and configure BurpSuite to intercept HTTP/HTTPS traffic

Security Misconfigurations

Security Misconfiguration are failure of developers/Systems owners in either implementation of security controls or improper implementation, We will discuss the common misconfigurations and its impact such as Equifax attack

Insufficient Logging and Monitoring

Considering the rise in vulnerabilities and new bypass getting discovered practically every week, the industry focus now shifts towards threat detection,monitoring and response thereby uncovering most emerging internal threats.

Authentication Flaws

Flaws related to password storage,password complexity and password reset will be showcased with demos and exercises.A brief crash course on cryptography will also be taken to demonstrate the Known Plain Text(KPA) attack

Authorization Bypass Techniques

Improper Authorization implementation leads to attacker bypassing security controls and performing attacks such as Mass Assignment and parameter manipulation will be discussed in this module.
Also authorization bypass and pitfalls in latest technologies such as JWT and API will be showcased during the session.

Cross-Site Scripting (XSS)

Cross Site Scripting aka XSS is most frequently found vulnerability in web application, we look at some trivial cases, different varieties and how to find/fix cross site scripting

Cross-Site Request Forgery Scripting

Here we explain what Cross Site Request Forgery,Example of common CSRF attack and its mitigation

DAY 2

Server-Side Request Forgery (SSRF)

Server-Side Request Forgery usually exploits trust relationship between the client and server,We describe some examples for SSRF and demonstrate how to find and mitigate various types of SSRF

SQL Injection

SQL Injection is considered as one of the Top web application vulnerabilities, we will go through a wide variety of SQL Injection vulnerabilities,attacks and techniques including some common SQL Injection examples.

XML External Entity (XXE) Attacks

XML now is the vastly used data format from web services to documents, We see how XML can be used to perform XXE vulnerabilities such as 'Billions Laugh Attack'

Unrestricted File Uploads

Unrestricted File upload is a serious vulnerability having an impact on application and its underlying infrastructure, we uncover different ways of uploading malicious files and exploitation to gain further access.

Deserialization Vulnerabilities

Applications use serialization and deserialization on a regular basis,however untrusted user input can lead to serious vulnerabilities such as remote code execution which will be demonstrated here.

Client-Side Security Concerns

Client side security plays an important role in defences against vulnerabilities, Here we will talk about best practices and implementation techniques around browser/client security

Source Code Review

Source code review often helps in uncovering vulnerabilities overlooked during normal penetration testing, We will see different vulnerable code samples and demo of using source code tool such sa CAT.NET

DevSecOps

With the recent 'Security as Code' culture,this module covers the need of DevOps and migrating to DevSecOps using open source tools and techniques to demonstrate the ease/flexibility between developers and security team.