Application Security encompasses measures taken to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, or deployment of the application.Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing should be implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle.
About this workshop
Traditionally, security has been handled with a large focus on the network. Security budgets are allocated to defenses that are understood, not defenses that reduce the most risk. Many people understand what a firewall does but the problem is that a firewall will only mitigate certain threats. With the rise of service-oriented architecture and the fact that more and more data is moving through port 80, the threat of a weak application is huge no matter how many firewalls you put in front of it. Making security part of the software development life cycle (SDLC) reduces risk and provides strategic advantage.
The entire training is driven by hands-on exercises and case studies to ensure that all aspects have a real-life scenario-based approach. Each participant will be provided with fully configured machines with all the tools and test images loaded.
Benefits
On completion of this course, participants will get a better understanding of
- Application security attacks
- Primary risks facing web applications
- Threat Modelling
- Threat Profiling
- OWASP Top Ten Testing
- Black Box Testing
- Secure Code Reviews
Who should attend
This course is meant for professionals responsible for developing and testing applications
- Software Developers / Testers (J2EE/ASP.NET)
- Design Architects
- Security Auditors
- Security Architects
- Program Managers
- Security Consultants
Course Outline
- Introduction and Case Study
- Web Hacking Case Studies
- Business Risks from Application Vulnerabilities
- Web 2.0 Security
- What is Web 2.0?
- AJAX Vulnerabilities
- What are Web Services?
- Web Services Vulnerabilities
- Threat Modeling - Application Security Controls
- Application Security - An Overview
- Threat Modeling – Objectives
- Threat Modeling – Meaning and terminology
- Hacker’s Interest Area
- Threat Profiling
- Practical Considerations
- Case Study
- Introduction to web application vulnerabilities
- OWASP Top Ten
- OWASC List of Vulnerabilities
- Functional v/s Security testing
- What is Functional testing?
- What is Security testing?
- Differences
- Tools for functional and security testing of application
- Web application in-securities practical hands-on
- Demo of web vulnerabilities with insecure web applications
- Secure Coding Techniques
- Best Practices
- Secure J2EE Programming
- Secure .NET Programming
- Secure PHP Programming
- Significant OWASP Projects
- OWASP Development Guide
- OWASP Testing Guide
- OWASP Code Review Guide
- Continuous security testing and assessments
- Risks from Outsourcing
- Risk based approach
- Conducting VAPT, Source code audits, Infrastructure reviews
- Flash Attacks
- iFrame Injections