Secure Application Development

This course presents a progress report on recent attacks and the trends, then reviews the OWASP top 10 and other vulnerabilities.

Overview

Many developers have already been exposed to secure coding and vulnerability training. This course provides a review of the 2017 OWASP top 10 and the PCI DSS as a refresher and introduction to new developers.
The meat of this course provides developers with the tools needed to Prevent, Detect, and Respond to intrusions by way of best practices and secure by default coding.

This course presents a progress report on recent attacks and the trends, then reviews the OWASP top 10 and other vulnerabilities. Then, we proceed with a “secure by default” implementation leveraging Test Driven Development, Object modeling and ORM, and finally a web application. Finally, we review techniques in detection and response frameworks.

Audience

This course is intended for experienced developers using Java or C#.

Length

3 days

Outline

Day 1
• Security Progress report
• PCI DSS review
• OWASP top 10 security review
o Case Study – a flawed application
o Injection Flaws
o Broken Authentication & Session Management
o XSS
o Broken Access Control
o Security (Mis)Configuration
o Sensitive Data Exposure
o Insufficient Attack Protection
o CSRF
o Components with known Vulnerabilities
o Underprotected APIs
o Hands-On Demonstration
o Hands-On Patch
Day 2
• Monster mitigations – good habits that protect against many attacks
o N-Tier architecture – security at trust boundaries
o Validation
o Sessions
o Authentication/ Authorization
o Anti-forgery
• Hands-On Case study
o Requirements
o Unit tests
o Object model
o Persistence
o User Interface
• Review of the case study application’s vulnerabilities
Day 3
• Security Toolkit for developers
• Detection Framework Implementation
• Monitoring and Reacting to intrusions in real-time
• Review