Web Security for Developers

The web is a great software delivery platform, making your software available to users around the world with zero installation and easily deployed updates. Unfortunately, it also exposes you to an army of adversaries - some human, some bot - who have darker goals: to cause loss to your data or reputation, subvert your resources for their own gain or attack your user base.

This course helps you to develop a security-oriented mindset. It explores the way the web works, so you have a way to understand how various vulnerabilities arise. Then, with those foundations laid, it covers a range of common and less common vulnerabilities, how an attack based on them would be constructed, and how you can recognize and defend against them. 

Audience:

This course is aimed at web developers. 

Prerequisites:

You should have basic web development experience. 

About the autor and instructor: Tore Nestenius

Tore has worked as a consultant since 1997 and is a very knowledgeable system developer and has in the past worked for large companies like Ericsson and Flextronics. Early in his career, Tore Nestenius started Programmers Heaven - a portal with over 750 000 monthly users. He’s behind several other successful projects like CodePedia - a Wiki for developers, the Open Source project TNValidate, and the C# School e-book with over 100 000 downloads.

Course outline:

Program

Introduction

  • The reality
  • What might an attacker want?
  • Social Engineering

 

HTTPS

  • Man-in-the-middle attacks
  • Certificates
  • Certificate pinning
  • Securing cookies
  • HTTP Strict Transport Security header

 

Encoding

  • Character encoding
  • Unicode
  • Encoding

 

Cross Site Scripting

  • Stored XSS
  • Reflected XSS
  • DOM Based XSS
  • XSS Preventions

 

Content Security Policy

  • Headers and directives
  • CSP Reporting

 

Cross site request forgery (CSRF)

  • CSRF Prevention
  • Synchronizer Token Pattern
  • Double Submit Cookies

 

Injections

  • SQL Injections
  • File path injections

 

Authentication & Authorisation

  • OAuth
  • OpenID Connect
  • Signed requests
  • Form based authentication
  • Securing the session

Denial-of-Service (DoS) attacks

  • Network attacks
  • Application level attacks
  • Regular Expression attacks
  • XML DoS attacks
  • Decompression bombs

 

Password management

  • Secure password storage
  • Hashing
  • Salt and pepper

 

Information leakage

  • Error handling
  • Source control leaks
  • SQL Timing attacks
  • Login timing attacks
  • Response header leakage
  • Search engine leakage
  • Server leaks

 

Logging & monitoring

  • Logging
  • Monitoring
  • Knowing when the site is under attack
  • Honey pots

 

Attacking our site

  • How can we start hacking our self
  • Hacking tools

 

Penetration testing

  • Hack your self

Other relevant courses

17. April
3 days
Classroom Virtual
29. May
3 days
Classroom Virtual
22. May
3 days
Classroom
4 days
Classroom