Web Security for Developers

The web is a great software delivery platform, making your software available to users around the world with zero installation and easily deployed updates. Unfortunately, it also exposes you to an army of adversaries - some human, some bot - who have darker goals: to cause loss to your data or reputation, subvert your resources for their own gain or attack your user base.

This course helps you to develop a security-oriented mindset. It explores the way the web works, so you have a way to understand how various vulnerabilities arise. Then, with those foundations laid, it covers a range of common and less common vulnerabilities, how an attack based on them would be constructed, and how you can recognize and defend against them. 

Audience:

This course is aimed at web developers. 

Prerequisites:

You should have basic web development experience. 

About the instructor: Tore Nestenius

 Tore has worked as a consultant since 1997 and is a very knowledgeable system developer and has in the past worked for large companies like Ericsson and Flextronics. Early in his career, Tore Nestenius started Programmers Heaven - a portal with over 750 000 monthly users. He’s behind several other successful projects like CodePedia - a Wiki for developers, the Open Source project TNValidate, and the C# School e-book with over 100 000 downloads.

Course outline:

  • Introduction

    • The reality
    • What might an attacker want?
    • Social Engineering

     

    HTTPS

    • Man-in-the-middle attacks
    • Certificates
    • Certificate pinning
    • Securing cookies
    • HTTP Strict Transport Security header

     

    Encoding

    • Character encoding
    • Unicode
    • Encoding

     

    Cross Site Scripting

    • Stored XSS
    • Reflected XSS
    • DOM Based XSS
    • XSS Preventions

     

    Content Security Policy

    • Headers and directives
    • CSP Reporting

     

    Cross site request forgery (CSRF)

    • CSRF Prevention
    • Synchronizer Token Pattern
    • Double Submit Cookies

     

    Injections

    • SQL Injections
    • File path injections

     

    Authentication & Authorisation

    • OAuth
    • OpenID Connect
    • Signed requests
    • Form based authentication
    • Securing the session
  • Denial-of-Service (DoS) attacks

    • Network attacks
    • Application level attacks
    • Regular Expression attacks
    • XML DoS attacks
    • Decompression bombs

     

    Password management

    • Secure password storage
    • Hashing
    • Salt and pepper

     

    Information leakage

    • Error handling
    • Source control leaks
    • SQL Timing attacks
    • Login timing attacks
    • Response header leakage
    • Search engine leakage
    • Server leaks

     

    Logging & monitoring

    • Logging
    • Monitoring
    • Knowing when the site is under attack
    • Honey pots

     

    Attacking our site

    • How can we start hacking our self
    • Hacking tools

     

    Penetration testing

    • Hack your self

Other relevant courses