AppSec California 2015

Register for Training

Most web application developers have heard about SQL Injection and Cross-Site Scripting, but few know which safeguards are really effective against expert hackers. Exploitation techniques have greatly evolved in the last few years and programmers need to keep their guard up. They are in the tough position of securing systems against experienced hackers. What help do they have?

The OWASP Top 10 web application vulnerabilities list has done a great job promoting awareness on the subject. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against these vulnerabilities. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

At the end of the course, participants will have learned:
• What are the OWASP Top 10 vulnerabilities
• How hackers exploit them
• Which safeguards are effective… and which ones are not!

The course will cover the following topics:

1. SSL Certificates
2. Effective Password Management
3. Secure Application Architecture
4. Injection Attacks
5. Command Injection
6. File Injection
7. SQL Injection
8. Cross-Site Scripting (XSS)
9. Cross-Site Request Forgery (CSRF)
10. Broken Authentication and Session Management
11. Insecure Direct Object References
12. Security Misconfiguration
13. Sensitive Data Exposure
14. Missing Function Level Access Control
15. Using Known Vulnerable Components
16. Unvalidated Redirects and Forwards
17. Securing Web Services (REST and SOAP)
18. Secure Coding Best Practices
19. List of Effective Safeguards

Hands-on Exercises:

1. Session Initialization and Client-Side Validation
   1. Part 1: Web Proxy and Session Initialization
   2. Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Optional Exercises:
   1. Sniffing Encrypted Traffic
   2. Command Injection
   3. Create SSL certificates

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of HTML, XML and SQL, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.