Secure Programming: Developing Defensible Web Applications

Dates: May 28, 2013 - May 30, 2013
Meets: Tuesday-Thursday from 9:00 AM to 3:30 PM, 3 sessions
Hours: 19.50
CEUs: 1.95
Location: Auburn Center for Developing Industries
Instructor: IT Training Solutions, LLC
Fee: $1,849.00

Sorry, this course has been cancelled. Please contact our office to see if it will be rescheduled, or if alternative classes are available.


Course Description


OVERVIEW:

This class first demonstrates to developers how attackers create strategies to compromise applications in order to help students "think like an attacker." The class then moves into demonstrating how the Open Web Application Security Project (OWASP) provides developers with the tools to successfully develop applications that are difficult or impossible to hack. This class is rich in hands-on opportunities giving developers a chance to see for themselves how attackers think, how the framework protects the application, as well as where it falls short. This course also satisfies section 6.5 of the Payment Card Industry Data Security Standard (PCI DSS).

This class is focused specifically on software development but is accessible enough for anyone who's comfortable working with code and has an interest in understanding the developer's perspective:

- Software Developers and Architects
- Testers/QA specialists
- Systems and Security Administrators
- Penetration Testers


COURSE OBJECTIVES:

Upon course completion students will:

- Understand security concerns, including the PCI DSS
- Understand and know the common vulnerabilities
- Understand the underlying code flaws that enable vulnerabilities
- Be able to correctly code to avoid flaws
- Be able to spot code with potential flaws
- Be able to use various tools, libraries, and frameworks to better secure systems and code


COURSE OUTLINE:

Common Attacks
- Injection Flaws *
- Cross Site Scripting *
- Cross Site Request Forgery *
- Malicious File Execution *
- Security Configuration *
- Session Hijacking *
- Encryption *
- Unsecure Direct Object Reference *
- Failure to authorize/hidden URLs *

Secure Design
- Layered Design Concepts
- Object Layer
- Persistence Layer
- Presentation Layer

Countermeasures
- Validation
-- Validation Controls
-- Strong Typing
-- Regular Expressions
-- White list
-- Scrubbing
-- Black list
- Encoding *
- CAPTCHA *
- Honey Pots *
- Avoiding SQL Injection *
-- Parameterized Queries/Prepared Statements
-- Stored Procedures
-- Entity Framework/Hibernate
- Avoiding Cross Site Request Forgeries
- Authorization & Authentication
-- .Net Authentication
-- Basic & Digest
-- Forms *
- Windows Authentication
- JAAS and other Java authentication services. *
- Authorization
- Password Security *
- Brute Force attacks
- Password Resets
- Secret Questions/Answers
- SSL

Session Security
- Session IDs
- Policies
- Hijacking/Fixation Attacks *

Resources
- OWASP Tools
-- ESAPI
-- CSRF Tester
-- WebScarab
- Other tools

(*indicates hands-on labs)


PREREQUISITIES:

Experience with programming in ASP.NET using C#, or Java JSP/Servlets, or proficiency and a solid grasp of syntax in whatever platform/language you work with.

  
Office of Professional & Continuing Education | 301 OD Smith Hall | Auburn, Alabama 36849
Phone: (334) 844-5100 | Fax: (334) 844-3101 | Email:
Privacy | Copyright ©