Please note: Training Sessions are not included in the Conference price.
Sign up now! Check for availability and pricing on Eventbrite.Course Abstract:The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks.
Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.
Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.
The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.
Course Objectives:- Understand how hackers attack web applications in order to better defend them
- Learn how to test your own web application
- Which security safeguards are truly effective (and which ones are not)
- Understand secure coding best practices
Training Outline:1. OWASP Top 10 web app vulnerabilities:
A1 - Injection (Command Injection, SQL Injection)
A2 - Broken Authentication
A3 - Sensitive Data Exposure
A4 - XML External Entities (XXE)
A5 - Broken Access Control
A6 - Security Misconfiguration
A7 - Cross-Site Scripting (XSS)
A8 - Insecure Deserialization
A9 - Using Components with Known Vulnerabilities
A10 - Insufficient Logging and Monitoring
2. Password Management
3. Secure Coding Best Practices
4. HTTPS Best Practices
5. Using a Vulnerability Proxy
… and much more!
Hands-on Exercises:1. Input Validation
2. Cross Site Scripting Filter Bypass
3. Online Password Guessing Attack
4. Account Harvesting
5. Injection Attacks
6. Using a Web Application Vulnerability Proxy
… and much more!
Upon the completion of this training, attendees will know:- Most critical web application vulnerabilities
- Secure coding best practices
- How to use common security assessment tools
Attendees will be provided with (by trainer):- The slides in raw PPT format
- Access to the online lab environment during and after class
- “cheat mode” that reveals all answers will be enabled after class
Attendees should bring:Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.
Prerequisites for attendees:This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.