TECH TRAINING 6 – BUILDING SECURE WEB AND MOBILE APPLICATIONS

OVERVIEW

The major cause of web insecurity is insecure software development practices.

This highly intensive and interractive 2-day course provides essential application security training for web application, webservice and mobile software developers and architects. The class is a combination of lecture, hands-on security testing and code review. Participants will not only learn the most common threats against applications, but more importantly they will learn how to also fix the problems and design secure web solutions via defense-based code samples and review.

This class will also highlight production quality API’s from various languages, frameworks, and 3rd party libraries that provide production quality and scalable security controls. This course will focus on Java and .NET programming, but any software developer building web applications will benefit. We provide free email support for life for all students. Digital copies of all course ware will be provided.

WHO SHOULD ATTEND

Any web application developer or architect, web security professionals and development managers who are tasked with building secure web applications, web services and mobile applications.

KEY LEARNING OBJECTIVES

• How to build injection-safe server-side applications

• How to build modern access control functionality for multi-tenant data-driven applications

• How to build an injection safe user interface

• How to build a secure authentication mechanism

• How to store passwords securely

• How to build multi-factor authentication mechanisms

• Understanding the limits of HTTPS and what to do about it

• How to implement multi-layered CSRF protection

• How to implement modern security HTTP Headers

• How to implement modern symmetric cryptographic storage

• How to implement asymmetric crypto for encryption and non-repudiation

• How to build security into various stages of the SDLC

• How to build a secure mobile application

• How to build a secure REST web service

COURSE AGENDA

DAY 1 (MORNING)

• HTTP Basics and Introduction to Application Security

• Input Validation

• SQL and other Injection

DAY 1 (AFTERNOON)

• Access Control Design

• XSS Defense

• Advanced XSS Defense

DAY 2 (MORNING)

• Authentication and Session Management

• CSRF/Clickjacking Defense

• Secure SDLC and Security Architecture

DAY 2 (AFTERNOON)

• Cryptographic Storage

• Mobile Security Basics

• Webservice Security

HARDWARE / SOFTWARE REQUIREMENTS

Any Windows machine or Virtual Machine with at least 4GB of RAM

ABOUT THE TRAINER

Jim Manico (VP Security Architecture, Whitehat Security)

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the Open Web Application Security Project (OWASP). He manages and participates in several OWASP projects, including the OWASP cheat sheet series, the OWASP Java HTML Sanitizer project, the OWASP Java Encoder Project and the OWASP JSON Sanitizer Project.