Mastering holistic application security
Practice-changing impact, long lasting security knowledge and skills -- are the expected outcomes of this new-school webapp security training. The course is inclusive: the developers learn application security and hacking, improve their professional skills and are also introduced to the security design patterns for fixing the code. In the modern development process security testing is something shared among developers, devops, testers and auditors -- this mingled situation we recreate during exercises.
This is a training with minimum lectures and all focused on hands-on exercises. We start off with some understanding of secure development and the secure coding principles. Then we do basic hacking challenges and move gradually to the advanced topics, but after that we do exercises that are about fixing vulnerable code. The last day of the training the attendees need to show on a custom build vulnerable application the security testing skills and implement the code fixes, this will be reviewed by the trainer.
The attendees will have after this course a vast set of actionable knowledge and practise to be used straight away. Also using the OWASP SKF project will enable them after the course to build secure applications by design but also continue improving and training themselves.
- Mastering holistic WebAppSec
from the 'DIY security testing' series
- full title
-
Mastering holistic application security
(aka WebAppSec testing, hacking and fixing -- extended)
- course level
- from baseline to advanced practices
- audience
-
developers and general security newbies
- duration
-
2 days, 14 hrs education time
- gear
- a laptop
- preinstalled
-
KALI, Python2 and Python3, ZAP or Burp community edition;
your favorite IDE (for the fixing of vulnerabilities)
- qualification requirement
-
basic programming skills
(for the Labs we will start from basic hands-on exploits to advanced ones)
Intro to principles and practice of secdev
- Introduction to vulnerabilities
- 'Into the middle of things' hands-on hacking
- Playing with untuned source code scanning
- Playing with identifying real threats and security requirements
- Intro to secure coding
- OWASP ASVS topics, an introduction to the areas to protect
- How a properly designed infrastructure architecture should be built
- Intro to practical secure development
- Setting up the right security requirements using OWASP SKF
- Create and train security champions
- S-SDLC basics, secure development as integral part of SDLC
- Automatic tools and their values, non-automatic tools, pentests, peer code review, assisted code-review
Testing/hacking and fixing
- Common server-side vulnerabilities and their defense
- Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection, 2 deserialization attacks
- Path traversal, XXE, Buffer overflow, Zip bomb, Million laugh, RFI, Insecure file upload, Code execution, Remote file inclusion
- Command injection
- Insecure direct object reference
- Server side template injection
- CSRF bypassing
- JWT
- Authorization bypasses
- Common client-side vulnerabilities and their defense
- XSS (types, impact, causes, defenses, other html injections, BeEF)
- CSRF, Clickjacking, Same-origin policy, CORS
- Tabnabbing
- Client side template injection
Security design
- Security by design
- Threat modelling
- Separation of duties, trust boundaries, security boundaries, defence in depth, principle of least privilege, minimising the attack surface, risk driven mitigation
- Business logic vulnerabilities
- Cryptography
- Cryptography basics
- TLS, ciphersuites
- HTTP certificate pinning
- Perfect forward secrecy, certificate transparency
- Http configuration
- CSP, HSTS, Cookie settings, x-content-type-options
- Access management
- Authentication principles, session management, authorization
- Access management in a RESTful environment (to JWT or not to JWT)
- OAuth2, OpenID Connect
- Server-side defense
- API security, design and implementation
- Web service security
- Attack surface
- Input validation vs encoding
