NotSoSecure - AppSec for Developers

May 25th and 26th

Course Abstract

Pen testing (security testing) as an activity tends to capture security vulnerabilities at the end of the SDLC and then it is often too late to influence fundamental changes in the way the code is written.

This course has been written by developers turned Pen Testers who can help developers to code in a secure manner as it is critical to introduce security as a quality component into the development cycle.

Throughout this class, developers will be able to get on the same page with security professionals, understand their language, learn how to fix or mitigate vulnerabilities learnt during the class and get acquainted with some real-world breaches, for example, “The Equifax” breach in September 2017. Various bug bounty case studies from popular websites like Facebook, Google, Shopify, Paypal, Twitter etc will be discussed explaining the financial repercussions of application security vulnerabilities like SSRF, XXE, SQL Injection, Authentication issues etc.

The techniques discussed in this class are mainly focused on .NET, Java and NodeJS technologies owing to their huge adoption in various enterprises in building web applications. However, the approach is kept generic and developers from other language backgrounds can easily grasp and implement the knowledge learned within their own environments.

Delegates will participate in a CTF challenge where they will have the chance to identify vulnerabilities in code snippets derived from real-world applications.

Outline

Application Security Basics

  • Why do we need Application Security?
  • Understanding OWASP TOP 10 2017

Understanding the HTTP Protocol

  • Understanding HTTP/HTTPS protocol
  • Understanding Requests and Responses - Attack Surface
  • Configure Burpsuite to intercept HTTP/HTTPS traffic

Security Misconfigurations

  • Common misconfigurations in Web Applications
  • Sensitive Information exposure and how to avoid it
  • Using Softwares with known vulnerabilities

Insufficient Logging and Monitoring

  • Types of Logging
  • Introduction to F-ELK

Authentication Flaws

  • Understanding Anti-Automation Techniques
  • NoSQL Security
  • Understanding WebAuthn – Passwordless Authentication Framework

Authorization Bypass Techniques

  • Securing JWT and OAuth
  • Local file Inclusion
  • Mass Assignment Vulnerability

Cross-Site Scripting (XSS)

  • Types of XSS
  • Session Hijacking
  • Mitigating XSS

Cross-Site Request Forgery Scripting

  • Understanding CSRF
  • Mitigating CSRF

Server-Side Request Forgery (SSRF)

  • Understanding SSRF
  • Mitigating SSRF

SQL Injection

  • Error and Blind SQL Injections
  • Mitigating SQL Injection
  • ORM Framework: HQL Injection

XML External Entity (XXE) Attacks

  • Default XML Processors == XXE
  • Mitigating XXE

Unrestricted File Uploads

  • Common Pitfalls around file upload
  • Mitigating File upload vulnerability

Deserialization Vulnerabilities

  • What is Serialization?
  • Identifying Deserialization functions and deserialized data
  • Mitigation strategies for deserialization

Client-Side Security Concerns

  • Understanding Same Origin Policy
  • Client-Side Security headers and their server configurations

Source Code Review

  • What to check for Security in source code
  • CTF: A timed game to spot the flaws in the given Source Code samples

DevSecOps

  • DevSecOps - What Why and How?
  • Case Study

Who Should Attend

This course is ideal for Web/API developers who work day-in-day out building full-stack web applications or web APIs. Anyone who is looking to develop a skill-set into web application security and identify web application flaws can also benefit from this course.

What You Need

Delegates need to have a basic understanding of how web applications work with an added advantage for those who currently develop web applications. This training is a programming language agnostic.

Delegates Should Bring

  • A Laptop with minimum 4 GB RAM and 1 GB of extra space.

Bio

Abhijay Singh Principal Security Consultant, NotSoSecure

Abhijay Singh is an information security professional working as a Principal Security Consultant at NotSoSecure. He has 8+ years of corporate experience with expertise in the area of Application Security, Network and Vulnerability Assessment. Abhijay currently holds industry recognized accreditations including OSCP. As well as being a hands on pen tester, Abhjay is also a experienced trainer and co- contributor for NotSoSecure’s AppSec for Developers, DevSecOps and AppSecOps courses. Abhijay has delivered training at numerous leading global Security conferences. His current expertise revolves around finding interesting bugs in Web Applications and loves doing Android and iOS app security assessments. In his spare time, he is an inveterate bug bounty hunter and likes to read/learn new technologies.

Return to training sessions