Jim Manico: Building Secure APIs and Web Applications
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive Masterclass provides essential application security training for web application and webservices developers and architects. The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.
Agenda: Day 1 | Focus on web application basics
- Introduction to Application Security
- Introduction to Security Goals and Threats
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- Content Security Policy
- Introduction to Angular.JS Security
- Introduction to React.JS Security
- SQL and other Injection
- Cross Site Request Forgery
- File Upload and File IO Security
- Deserialization Security
- Input Validation Basics
- OWASP Top Ten 2017
- OWASP ASVS
Agenda: Day 2 | Focus on API secure coding, identity & other advanced topics
- We will have three different lab environments for students to choose from
- OAuth to Security
- HTTPS/TLS Best Practices
- Third-party Library Security Managment
- Application Layer Intrusion Detection
Agenda: Day 3 | Labs & Exercises
We will have three different lab environments for students to choose from:
- Lab 1 will be a classic web application CTF hacking competition. This is older tech in a near lab setup for folks who are new to web hacking. This is a great platform for beginners.
- Lab 2 will be a MEAN stack application that is more challenging to hack. This is a great lab platform for more advanced testers.
- Lab 3 will be a secure coding CTF. This is a professional platform for developer to test their secure coding skills.
- Familiarity with the technical details of building web applications and webservices from a software engineering point view.
- Any laptop that can run an updated web browser and "Burp Community Edition".