Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents

Similar documents
Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Application. Security. on line training. Academy. by Appsec Labs

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

IE156: ICS410: ICS/SCADA Security Essentials

TRAINING CURRICULUM 2017 Q2

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Application Security Approach

ShiftLeft. Real-World Runtime Protection Benchmarking

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Aguascalientes Local Chapter. Kickoff

Hacking Classes 75% notsosecure.com. Updated Regularly to Include Trending Techniques. Written by BlackHat Trainers: Available Globally

Secure DevOps: A Puma s Tail

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Your Turn to Hack the OWASP Top 10!

OWASP Broken Web Application Project. When Bad Web Apps are Good

6-Points Strategy to Get Your Application in Security Shape

Web Applications Penetration Testing

Ingram Micro Cyber Security Portfolio

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Applications Security

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Protect your apps and your customers against application layer attacks

ISDP 2018 Industry Skill Development Program In association with

Introductions. Jack Katie

Managed Application Security trends and best practices in application security

Ethical Hacker Foundation and Security Analysts Course Semester 2

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

Instructor-led Training Course Catalog

Presentation Overview

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

SECURITY TESTING. Towards a safer web world

Copyright

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Cybersecurity Education Catalog

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

Continuously Discover and Eliminate Security Risk in Production Apps

Development*Process*for*Secure* So2ware

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

This course includes 14 lessons and 5 Course Activities. Each lesson contains one or more Lesson Activities. The lessons cover the following topics:

Web Application Vulnerabilities: OWASP Top 10 Revisited

90% of data breaches are caused by software vulnerabilities.

Exploiting and Defending: Common Web Application Vulnerabilities

Matt Walker s All in One Course for the CEH Exam. Course Outline. Matt Walker s All in One Course for the CEH Exam.

DXC Security Training

Curso: Ethical Hacking and Countermeasures

Web Application Security Evaluation


Web Application Threats and Remediation. Terry Labach, IST Security Team

Human vs Artificial intelligence Battle of Trust

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance


Taking Control of Your Application Security

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Moving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas

V Conference on Application Security and Modern Technologies

C1: Define Security Requirements

Penetration testing.

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Mitigating Security Breaches in Retail Applications WHITE PAPER

Engineering Your Software For Attack

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Overview of Web Application Security and Setup

Defying Logic. Theory, Design, and Implementation of Complex Systems for Testing Application Logic. Rafal Los, Prajakta Jagdale

10 FOCUS AREAS FOR BREACH PREVENTION

Web Application Security. Philippe Bogaerts

SensePost Training Overview 2011/2012

200 IT Security Job Interview Questions The Questions IT Leaders Ask

Andrew van der Stock OWASP Foundation

Course Outline. CISSP - Certified Information Systems Security Professional

Security Solutions. Overview. Business Needs

Hands-On Hacking Course Syllabus

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

SECURITY TRAINING SECURITY TRAINING

TIBCO Cloud Integration Security Overview

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

RiskSense Attack Surface Validation for Web Applications

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Unit Level Secure by Design Approach

Security Course. WebGoat Lab sessions

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

Training Program Catalog SECURITY INNOVATION

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Security Testing. John Slankas

Security Solution. Web Application

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

Transcription:

Seth & Ken s Excellent Adventures in Secure Code Review Training Course 17th & 18th of October Table of Contents Seth & Ken s Excellent Adventures in Secure Code Review 1 Course Abstract 2 What attendees will learn? 2 What attendees will be provided? 3 What attendees should bring? 3 Pre-requisites 3 Detailed Outline 4 Day 1 4 Day 2 5 Trainer Biography 6 Ken Johnson 6 Seth Law 6 All training courses are two full days of intensive, hands-on learning and include complimentary morning tea, lunch and afternoon tea. Tickets can be secured buy going to the website https:///. 1

Course Abstract This course introduces security and technology professionals alike to the nitty-gritty details of performing secure code reviews. Have you ever been asked to review code manually with the intention of finding security issues such as SQL Injection, XSS, and Access Control flaws? What about assessing the security reputation of a new framework or library? Or being asked to review a pull request from a sensitive part of the code base? This course addresses all of these common challenges in modern secure code review. Code Review Methodology used to cover security issues Practical methods for identifying OWASP Top 10 vulnerabilities in: Go Ruby/Rails Django/Python Node/Express Java/Spring.Net/MVC, Open source code review tools available for different languages Hands-on experience identifying vulnerabilities in known-vulnerable code bases. We have concentrated on taking our past adventures in code review, the lessons we ve learned along the way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language. You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base. 2

What attendees will learn? Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course. What attendees will be provided? Presentation materials. Source code to be analyzed during the course (VM provided, if desired). What attendees should bring? Laptop with wireless and virtual machine (VMWare/Virtual Box) capabilities. Preferred IDE. Pre-requisites Attendees should be familiar with the development process (SDLC) and where secure code reviews fit into the process. Attendees should have experience using an IDE, running command-line tools, and be able to read application source code. Attendee should have knowledge of the OWASP Top 10 and other common web vulnerabilities. 3

Detailed Outline Day 1 Overview Introductions What to Expect Tools/Lab Setup OWASP Top 10 Code Review Methodology Overview Introduction to Methodology Automated Tools Manual Analysis Information Gathering Threat Modeling Enumeration AAA (Authentication/Authorization/Auditing) Application Sources Application Sinks Other interesting finds Comments Keys 3rd-party libraries Authentication User Enumeration Timing Attacks Password Complexity Typical Logic Flaws Insecure Password Resets Insecure Forgot Password Functionality Password Storage Authorization Broken Access Control Insecure Direct Object Reference 4

Forced Browsing Missing Function Level Access Control Auditing Sensitive Data Exposure Logging Vulnerabilities Injection Input Validation SQL Injection ORM and ActiveRecord Patterns/Flaws Examples from previous assessments XXE Server-Side Request Forgery HTML/Content Injection Cryptographic Analysis Encoding vs. Encryption Hashing Stored Secrets Configuration Review Framework gotchas Configuration files Dependency Analysis Day 2 Technical Hands-On Review Java.Net Ruby On Rails Node.js Django ios/android 5

Trainer Biography Ken Johnson https://www.linkedin.com/in/ken-johnson-a180a042/ Ken Johnson, has been hacking web applications professionally for 10 years and given security training for 7 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about appsec, devops security, and AWS security. Ken s current projects are WeirdAAL, OWASP Railsgoat, and the Absolute AppSec podcast with Seth Law. Seth Law https://www.linkedin.com/in/seth-law-b01ba618/ Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. Seth has honed his application security skills using offensive and defensive techniques, including tool development. Seth currently hosts the Absolute AppSec podcast with Ken Johnson and is a regular speaker at developer meetups and security events, including Blackhat, Defcon, CactusCon, and other regional conferences. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback