T20113

Web Security for Developers

The web is a great software delivery platform, making your software available to users around the world with zero installation and easily deployed updates. Unfortunately, it also exposes you to an army of adversaries - some human, some bot - who have darker goals: to cause loss to your data or reputation, subvert your resources for their own gain or attack your user base.

This course helps you to develop a security-oriented mindset. It explores the way the web works, so you have a way to understand how various vulnerabilities arise. Then, with those foundations laid, it covers a range of common and less common vulnerabilities, how an attack based on them would be constructed, and how you can recognize and defend against them.

Audience:

This course is aimed at web developers.

Course outline:

Module 1: Developing a security-oriented mindset

  • The economics of security
  • Attack vectors: technical, social, physical
  • Security in depth
  • The issues with security by obscurity
  • Positive vs negative validation

Module 2: Analysing HTTP request/response

  • Understanding the HTTP protocol
  • Using a HTTP analyser
  • Request header content
  • Response header content
  • GET vs POST and the implications
  • Assembling and making custom fake requests
  • Tracing an AJAX application's HTTP flow

Module 3: Injection vulnerabilities

  • Concept and overall defense strategy
  • SQL injection
  • Path injection
  • HTTP header injection
  • Mail header injection
  • XPATH injection
  • Regex injection

Module 4: Attacks from the client side

  • Cross site scripting (XSS)
  • Cross site request forgery (CSRF)

Module 5: Authentication and authorization issues

  • Comparing password protection
  • Securing password storage
  • Handling password changes and resets securely
  • Session poisoning and session stealing
  • Direct object reference vulnerabilities
  • Securing static objects
  • Securing AJAX

Module 6: Exploiting trust relationships

  • Social engineering basics
  • Phishing
  • Unvalidated re-directs and forwards
  • Weaknesses due to faked referrers
  • Dangers related to shared hosting and shared domains
  • Unicode homograph related issues

Module 7: Information leakage

  • The dangers of bad error handling
  • Managing risks in open APIs
  • Timing attacks

Module 8: Denial of Service attacks

  • How DoS attacks arise
  • DoS vs DDoS
  • XML poisoning attacks
  • Regex backtracking blow-up attacks

Fakta

Kurs
T20113
Längd
2 dagar
Pris
16.500 kr (exkl. moms)

Stockholm

Göteborg

Malmö

Bookmark and Share

Kursmaterial

Course material in English

I samarbete med:

Kontakta oss
för mer information:

08 - 587 116 10 (Stockholm)
031 - 773 07 90 (Göteborg)
040-662 20 60 (Malmö)
info@informator.se

 

Senaste besökta utbildningar