We provide course about Web Security for Developers. The web is a great software delivery platform, making your software available to users around the world with zero installation and easily deployed updates.
Course description:
Unfortunately, it also exposes you to an army of adversaries - some human, some bot - who have darker goals: to cause loss to your data or reputation, subvert your resources for their own gain or attack your user base. This course helps you to develop a security-oriented mindset. It explores the way the web works, so you have a way to understand how various vulnerabilities arise. Then, with those foundations laid, it covers a range of common and less common vulnerabilities, how an attack based on them would be constructed, and how you can recognize and defend against them.
Course outline:
Day 1:
Introduction:
• The reality
• What might an attacker want
• Social Engineering
HTTPS:
• Man-in-the-middle attacks
• Certificates
• Certificate pinning
• Securing cookies
• HTTP Strict Transport Security header
Encoding:
• Character encoding
• Unicode
• Encoding
Cross Site Scripting:
• Stored XSS
• Reflected XSS
• DOM Based XSS
• XSS Preventions
Content Security Policy:
• Headers and directives
• CSP Reporting
Cross site request forgery (CSRF):
• CSRF Prevention
• Synchronizer Token Pattern
• Double Submit Cookies
Injections:
• SQL Injections
• File path injections
Authentication & Authorisation:
• OAuth
• OpenID Connect
• Signed requests
• Form based authentication
• Securing the session
Day 2:
Denial-of-Service (DoS) attacks:
• Network attacks
• Application level attacks
• Regular Expression attacks
• XML DoS attacks
• Decompression bombs
Password management:
• Secure password storage
• Hashing
• Salt and pepper
Information leakage:
• Error handling
• Source control leaks
• SQL Timing attacks
• Login timing attacks
• Response header leakage
• Search engine leakage
• Server leaks
Logging & monitoring:
• Logging
• Monitoring
• Knowing when the site is under attack
• Honey pots
Attacking our site:
• How can we start hacking our self
• Hacking tools
Penetration testing:
• Hack your self
Instructor: Tore Nestenius
Tore has worked as a consultant since 1997 and is a very knowledgeable system developer and has in the past worked for large companies like Ericsson and Flextronics. Early in his career, Tore Nestenius started Programmers Heaven - a portal with over 750.000 monthly users. He’s behind several other successful projects like CodePedia - a Wiki for developers, the Open Source project TNValidate, and the C# School e-book with over 100.000 downloads.
Target audience:
This course is aimed at web developers
Prerequisites:
• You should have basic web development experience
Language:
• The course is given in english