Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Monday, January 23 • 9:00am - 5:00pm
Secure Coding Bootcamp for the Web

Sign up or log in to save this to your schedule and see who's attending!

Secure Coding Bootcamp for the Web

The major cause of web insecurity is the lack of secure software development practices. This one-day bootcamp will help developers and other software professionals build and maintain secure applications. This class contains a combination of lecture, security testing demonstration and code review.

This following modules will be included in this class.

– HTTP Basics (1 hr)

In this module we will cover the various security implications of using the HTTP protocol for web and webservice development. Topics such as the proper use of HTTP verbs and HTTP security response headers will be covered. We will also demonstrate the use of an intercepting proxy tool to demonstrate how attackers modify request data to harm your applications. This module will also introduce several methods needed to properly transmit sensitive data over HTTPS.

– SQL and other Injection (.5 hrs)

Injection is an application weakness that will allow attackers to execute harmful SQL, Operating System, LDAP and other commands against your application. This is one of the most dangerous vulnerabilities possible. This module will review several forms of injection with live demonstrations. We will discuss the limits of input validation, and focus on more robust defenses such as query parameterization and encoding.

– Authentication (2.5 hrs)

Authentication is the “front gate” of any application and is used to establish the identity of your users. This module will discuss the security mechanisms found within a secure authentication layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will also include code review labs.

– OAuth Security (2 hrs)

OAuth is a delegation framework that appears on the radar of security professionals and developers more and more every day. OAuth intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management or an access control in your applications. Even more confusing, OAuth is not a standard and various service providers will likely have different implementations. Let’s say it again, OAuth is not a standard – its a framework for delegation. So this leaves us with questions! What really is delegation? Where does OAuth fit in? How can I use OAuth in a secure fashion? These questions and more will me answered in this module.

– Access Control (1 hr)

Access Control is a necessary security control at almost every layer within a web application. This module will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and “fail open” access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, deny-by-default and other positive design attributes that make up a robust web-based access-control mechanism.

– Angular.JS Security (1 hr)

AngularJS is one of the most popular and exciting JavaScript UI frameworks in use today. This module will discuss what AngularJS is, how it is built and the various security controls contained with in. We’ll discuss the various controls contained within AngularJS including Strict Contextual Escaping, HTML Sanitization, Content Security Policy Integration, Double-submit cookie defense and JSON hijacking protection.


Speakers
avatar for Jim Manico

Jim Manico

Founder, Secure Coding Instructor, Manicode Security
Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →


Monday January 23, 2017 9:00am - 5:00pm
Garden Terrace Room

Attendees (6)