"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Similar documents
Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

CSWAE Certified Secure Web Application Engineer

Certified Secure Web Application Engineer

90% of data breaches are caused by software vulnerabilities.

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Application. Security. on line training. Academy. by Appsec Labs

RiskSense Attack Surface Validation for Web Applications

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Training Program Catalog SECURITY INNOVATION

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 AWA 008 AWA 009 AWA 010 AWA 012 AWA 013 AWA 014 AWA 015

Web Application Vulnerabilities: OWASP Top 10 Revisited

Security Communications and Awareness

SECURITY TRAINING SECURITY TRAINING

Copyright

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Development*Process*for*Secure* So2ware

C1: Define Security Requirements

C and C++ Secure Coding 4-day course. Syllabus

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Security Communications and Awareness

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Security Fundamentals for your Privileged Account Security Deployment

Security Solutions. Overview. Business Needs

Web Application Penetration Testing

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Cybersecurity Education Catalog

Security Awareness, Training and Education Catalog

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

F5 Big-IP Application Security Manager v11

Application Layer Security

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Engineering Your Software For Attack

Bank Infrastructure - Video - 1

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

IBM Future of Work Forum

Ethical Hacking and Prevention

IE156: ICS410: ICS/SCADA Security Essentials

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

OWASP TOP OWASP TOP

Web Application Whitepaper

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Cybersecurity Auditing in an Unsecure World

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Aguascalientes Local Chapter. Kickoff

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Secure Application Development. OWASP September 28, The OWASP Foundation

Vulnerabilities in online banking applications

F5 Application Security. Radovan Gibala Field Systems Engineer

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Secure Development Lifecycle

COMP9321 Web Application Engineering

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Developing Secure Systems. Associate Professor

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Ingram Micro Cyber Security Portfolio

Hunting Security Bugs

CompTIA Cybersecurity Analyst+

Unit Level Secure by Design Approach

Web Application Threats and Remediation. Terry Labach, IST Security Team

ShiftLeft. Real-World Runtime Protection Benchmarking

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

The Android security jungle: pitfalls, threats and survival tips. Scott

1 About Web Security. What is application security? So what can happen? see [?]

Notes From The field

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Applications Security

Evaluating the Security Risks of Static vs. Dynamic Websites

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Test Harness for Web Application Attacks

Managed Application Security trends and best practices in application security

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

Managing Microsoft 365 Identity and Access

COMP9321 Web Application Engineering

Mitigating Security Breaches in Retail Applications WHITE PAPER

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Simplifying Application Security and Compliance with the OWASP Top 10

Welcome to the OWASP TOP 10

Exploiting and Defending: Common Web Application Vulnerabilities

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Tiger Scheme SST Standards Web Applications

DXC Security Training

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Solutions Business Manager Web Application Security Assessment

Improving Security in the Application Development Life-cycle

SECURITY TESTING. Towards a safer web world

Transcription:

Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based web applications. In addition to teaching basic programming skills, this course digs deep into sound processes and practices that apply to the entire software development lifecycle. In this course, students thoroughly examine best practices for defensively coding.net web applications, including XML processing and web services. Students will repeatedly attack and then defend various assets associated with a fully-functional web application. This hands-on approach drives home the mechanics of how to secure.net web applications in the most practical of terms. Security experts agree that the least effective approach to security is "penetrate and patch". It is far more effective to "bake" security into an application throughout its lifecycle. After spending significant time trying to defend a poorly designed (from a security perspective) web application, developers are ready to learn how to build secure web applications starting at project inception. The final portion of this course builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications from the beginning of the software lifecycle. A key component to our Best Defense IT Security Training Series, this workshop is a companion course with several developer-oriented courses and seminars. Although this edition of the course is.net-specific, it may also be presented using Java or other programming languages. Objectives At the end of this course, students will be able to: Understand potential sources for untrusted data Understand the consequences for not properly handling untrusted data such as denial of service, crosssite scripting, and injections Be able to test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses Prevent and defend the many potential vulnerabilities associated with untrusted data Understand the vulnerabilities of associated with authentication and authorization Be able to detect, attack, and implement defenses for authentication and authorization functionality and services Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks Be able to detect, attack, and implement defenses against XSS and Injection attacks Understand the concepts and terminology behind defensive, secure, coding Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets Perform both static code reviews and dynamic application testing to uncover vulnerabilities in web applications Design and develop strong, robust authentication and authorization implementations within the context of.net

Course Summary (cont d) Be able to detect, attack, and implement defenses for XML-based services and functionality Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure Understand and implement the processes and measures associated with the Secure Software Development (SSD) Acquire the skills, tools, and best practices for design and code reviews as well as testing initiatives Understand the basics of security testing and planning Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses Topics Foundation Top Security Vulnerabilities Understanding what s important Defending XML Processing Secure Software Development (SSD) Security Testing Appendix: Security Design Patterns Audience This is an intermediate-level.net programming course designed for application project stakeholders who wish to get up and running on developing well defended.net applications. Prerequisites Familiarity with the C# programming language is required, and real world programming experience is highly recommended. Students should have an understanding and a working knowledge in basic programming in.net. Students should have experience similar to ProTech s.net Framework Using C#. Take After: We offer a variety of introductory through advanced security, development, project management, engineering, architecture and design courses. Students may want to consider the following topics as follow-on to this course. Securing.Net Web Services Mastering Secure SOA Secure Software Design Additional advanced Security or Secure Programming topics Service-Oriented Analysis and Design Web Services Intro through Advanced Software Engineering, Design or Project Management tracks Duration Four days

I. Foundation A. Misconceptions 1. Thriving Industry of Identity Theft 2. Dishonor Roll of Data Breaches 3. TJX: Anatomy of a Disaster 4. Heartland: What? Again? B. Security Concepts 1. Terminology and Players 2. Assets, Threats, and Attacks 3. OWASP 4. CWE/SANS Top 25 Programming Errors 5. Categories 6. What they mean to your web applications C. Defensive Coding Principles 1. Security Is a Lifecycle Issue 2. Bolted on Versus Baked 3. Minimize Attack Surface Area 4. Examples of Minimization 5. Defense in Depth 6. Manage Resources 7. Layers of Defense: Tenacious D 8. Compartmentalize 9. Consider All Application States 10. Do NOT Trust the Untrusted 11. Fix Security Defects Correctly 12. Learning From Vulnerabilities D. Reality 1. Recent, Relevant Incidents 2. Finding Security Defects In Web Applications II. Top Security Vulnerabilities A. Unvalidated Input 1. Unvalidated Input: Description 2. Integer Arithmetic Vulnerabilities 3. Unvalidated Input: From the Web 4. Hidden Values in HTTP Communications 5. Unvalidated Input: Symptoms and Detection 6. Detection Through Fuzz Testing 7. Unvalidated Input: Fixes 8. Identifying Trust Boundaries 9. Designing An Appropriate Response 10. Testing Defenses And Responses B. Overview of Regular Expressions Course Outline C. Broken Access Control 1. Access Control Issues 2. Broken Access Control: Description 3. Excessive Privileges 4. Unprotected URL/Resource Access: Description 5. Unprotected URL/Resource Access: Symptoms and Detection 6. Primary Concerns in URL/Resource Access 7. Unprotected URL/Resource Access: Fixes 8. Protecting Sessions 9. Addressing Client-Side Caching of Content 10..Net authorization security overview 11. Defending special privileges such as administrative functions 12. Application authorization best practices D. Broken Authentication and Session Management 3. Multi-layered defenses of authentication services 4. Password management strategies 5. Password handling with hashing 6. Mitigating password caching 7. Testing defenses and responses for weaknesses 8. Alternative authentication mechanisms 9. Best practices for session management 10. Defending session hijacking attacks 11. Best practices for Single Sign-On (SSO) E. Cross Site Scripting (XSS) Flaws 1. Description With Working Example 3. Character Encoding Complications 4. Blacklisting 5. Whitelisting 6. HTML/XML Entity Encoding 7. Trust Boundary Definition 8. Implementing An Effective Layered Defense 9. Designing An Appropriate Response F. Injection Flaws 1. SQL Injection Continues to be Prevalent 2. Injection Flaws: Description 3. Injection Flaws: Symptoms and Detection 4. SQL Injection Examples

Course Outline (cont d) 5. SQL Injection Attacks Evolve 6. Attackers have a Variety of Tools 7. SQL Injection: Drill Down on Stored Procedures 8. SQL Injection: Drill Down on ORM 9. Minimize SQL Injection Vulnerabilities 10. Minimizing Injection Flaws 11. Command Injection Vulnerabilities G. Error Handling and Information Leakage 3..Net web application exception handling framework 4. Error response best practices 5. Error, auditing, and logging content management 6. Error, auditing, and logging service management 7. Best practices for supporting web attack forensics 8. Information Leaks 9. Data Loss Prevention (DLP) 10. Solving DLP Challenges 11. DLP: What and Where 12. DLP: Best Practices H. Insecure Storage 3. Data leakage 4. Risk minimization 5. Cryptography Overview 6. Data encryption 7. In-Memory Data Handling 8. Handling Passwords on Server Side I. Insecure Management of Configuration 3. System hardening 4..Net application server configuration Gotchas! 5. Hardening software installation J. Direct Object Access 3. XML/DTD/Schema/XSLT best practices 4. Race Conditions 5. Direct Object References K. Spoofing and Redirects 1. Spoofing: Description 2. Name Resolution Vulnerabilities 3. Attacks are Constant and Changing 4. Spoofing: Fixes 5. Cross Site Request Forgeries (CSRF) 6. How To Get Victim To Select URL? 7. CSRF Defenses are Entirely Server-Side 8. CSRF Defenses are Evolving 9. Redirects and Forwards 10. Safe Redirects and Forwards III. Understanding What s Important A. Prioritizing Your Efforts 1. Common Vulnerabilities and Exposures 2. OWASP Top Ten for 2010 3. Security Is a Lifecycle Issue 4. Minimize Attack Surface Area 5. Defense in Depth 6. Manage Resources 7. Layers of Defense: Tenacious D 8. Compartmentalize 9. Consider All Application States 10. Do NOT Trust the Untrusted 11. Fix Security Defects Correctly 12. Leverage Experience B..Net Issues and Best Practices 1..Net Security Mechanisms 2..Net Authorization Mechanism 3. Securing Passwords and Configurations 4. Managed Code and Buffer Overflows 5..Net Permissions 6. ActiveX Security Implications 7. Securely Handling Exceptions in.net IV. Defending XML Processing A. Defending XML 1. Understanding common attacks and how to defend 2. Operating in safe mode 3. Using standards-based security 4. XML-aware security infrastructure B. Defending Web Services 1. Security exposures 2. Transport-level security

Course Outline (cont d) 3. Message-level security 4. WS-Security 5. Attacks and defenses C. Defending Ajax 1. Ajax Security exposures 2. Attack surface changes 3. Injection threats and concerns 4. Effective defenses and practices V. Secure Software Development (SSD) A. SSD Process Overview B. CLASP Defined C. CLASP Applied 1. Asset, Boundary, and Vulnerability Identification 2. Vulnerability Response 3. Design and Code Reviews 4. Applying Processes and Practices 5. Risk Analysis VII. Appendix: Security Design Patterns A. Design patterns introduction B..Net Web Application Security Design Patterns 1. Authentication Enforcer 2. Authorization Enforcer 3. Intercepting Validator 4. Secure Base Action 5. Secure Logger 6. Secure Pipe 7. Secure Service Proxy 8. Intercepting Web Agent VI. Security Testing A. Testing as Lifecycle Process B. Testing Planning and Documentation C. Testing Tools And Processes 1. Principles 2. Reviews 3. Testing 4. Tools D. Static and Dynamic Code Analysis E. Testing Practices 1. Authentication Testing 2. Session Management Testing 3. Data Validation Testing 4. Denial Of Service Testing 5. Web Services Testing 6. Ajax Testing

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback