Secure Coding Bootcamp for the Web
The major cause of web insecurity is the lack of secure software development practices. This one-day bootcamp will help developers and other software professionals build and maintain secure applications. This class contains a combination of lecture, security testing demonstration and code review.
This following modules will be included in this class.
– HTTP Basics (1 hr)
In this module we will cover the various security implications of using the HTTP protocol for web and webservice development. Topics such as the proper use of HTTP verbs and HTTP security response headers will be covered. We will also demonstrate the use of an intercepting proxy tool to demonstrate how attackers modify request data to harm your applications. This module will also introduce several methods needed to properly transmit sensitive data over HTTPS.
– SQL and other Injection (.5 hrs)
Injection is an application weakness that will allow attackers to execute harmful SQL, Operating System, LDAP and other commands against your application. This is one of the most dangerous vulnerabilities possible. This module will review several forms of injection with live demonstrations. We will discuss the limits of input validation, and focus on more robust defenses such as query parameterization and encoding.
– Authentication (2.5 hrs)
Authentication is the “front gate” of any application and is used to establish the identity of your users. This module will discuss the security mechanisms found within a secure authentication layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will also include code review labs.
– OAuth Security (2 hrs)
OAuth is a delegation framework that appears on the radar of security professionals and developers more and more every day. OAuth intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management or an access control in your applications. Even more confusing, OAuth is not a standard and various service providers will likely have different implementations. Let’s say it again, OAuth is not a standard – its a framework for delegation. So this leaves us with questions! What really is delegation? Where does OAuth fit in? How can I use OAuth in a secure fashion? These questions and more will me answered in this module.
– Access Control (1 hr)
Access Control is a necessary security control at almost every layer within a web application. This module will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and “fail open” access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, deny-by-default and other positive design attributes that make up a robust web-based access-control mechanism.
– Angular.JS Security (1 hr)
AngularJS is one of the most popular and exciting JavaScript UI frameworks in use today. This module will discuss what AngularJS is, how it is built and the various security controls contained with in. We’ll discuss the various controls contained within AngularJS including Strict Contextual Escaping, HTML Sanitization, Content Security Policy Integration, Double-submit cookie defense and JSON hijacking protection.
