Enterprise Application Security Workshop Series



Similar documents
Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

elearning for Secure Application Development

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

What is Web Security? Motivation

(WAPT) Web Application Penetration Testing

JVA-122. Secure Java Web Development

Mobile Application Security and Penetration Testing Syllabus

Check list for web developers

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Criteria for web application security check. Version

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Where every interaction matters.

Secure development and the SDLC. Presented By Jerry

The Security of MDM systems. Hack In Paris 2013 Sebastien Andrivet

Sitefinity Security and Best Practices

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Web application security

Chapter 1 Web Application (In)security 1

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Magento Security and Vulnerabilities. Roman Stepanov

APPLICATION SECURITY AND ITS IMPORTANCE

Ruby on Rails Secure Coding Recommendations

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Hack Proof Your Webapps

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Web Application Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

OWASP Top Ten Tools and Tactics

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web Application Guidelines

Lecture 11 Web Application Security (part 1)

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Intrusion detection for web applications

Thick Client Application Security

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Cloud Security:Threats & Mitgations

Web Application Security Assessment and Vulnerability Mitigation Tests

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Web Application Report

Passing PCI Compliance How to Address the Application Security Mandates

Web Application Security

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Gateway Apps - Security Summary SECURITY SUMMARY

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Certified Secure Web Application Secure Development Checklist

OWASP AND APPLICATION SECURITY

Workday Mobile Security FAQ

Network Test Labs (NTL) Software Testing Services for igaming

Web Application Vulnerability Testing with Nessus

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Sichere Webanwendungen mit Java

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Still Aren't Doing. Frank Kim

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

WEB APPLICATION SECURITY

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Web Application Penetration Testing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Adobe Systems Incorporated

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application

Web Application Security

Application Security Vulnerabilities, Mitigation, and Consequences

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Ethical Hacking as a Professional Penetration Testing Technique

MANAGED SECURITY TESTING

Pentesting iphone Applications. Satishb3

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

The Top Web Application Attacks: Are you vulnerable?

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Securing Secure Browsers

Security Evaluation CLX.Sentinel

Project 2: Web Security Pitfalls

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Rational AppScan & Ounce Products

Sichere Software- Entwicklung für Java Entwickler

Web-Application Security

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Transcription:

Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com

Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants will gain valuable insight into developing secure Java applications. The workshop will assist participants in understanding web application attacks and how they occur due to insecure coding practices. Participants will then see how to employ Java secure coding techniques to defend against these coding defects. Participants will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice. Participants completing this class will find their secure coding abilities materially sharpened and able to integrate these techniques in your organization. Introduction What is information security? Software security trends Defending CSRF Non-tokenizer pattern CSRF in JAVA ESAPI Anti-CSRF tokens Generating an ESAPI CSRF token Implementing Anti-CSRF Defending Forced Browsing Downloading arbitrary files Forced browsing Declarative authorization Implementing web.xml Defending Insecure Storage Storing information Hashing Salted hash Adding a salt Cipher block chaining EBC vs. CBC AES encryption Encrypting files Decrypting files Defending Parameters Buying a cheap TV HMACs Implementing HMAC Regular expressions Defending Session Hijacking Timeouts Configuring web.xml Issuing new session IDs New session after login Secure cookies Configuring web.xml Defending SQL Injection Accessing customers SQL injection Parameterized queries Implementing bind parameters Defending Redirects Redirect parameter Unchecked redirects Random access maps Using ESAPI access maps Server side redirects Defending XSS How XSS happens XSS EASPI escaping The importance of context Using ESAPI Escaping

Web Application Exploiting and Defending (3 Days) The Sage Group s Web Application Exploiting and Defending workshop will help participants learn key concepts in web application security, the vulnerabilities that exist and how hackers exploit modern day applications for their own gain. Participants will be well-versed in describing common attacks and will be able to express how these scenarios could affect their own business applications. This workshop covers compliance requirements for PCI DSS 6.3.7 and 6.5. Introduction What is information security? Software security trends Authentication Authentication 101 Factors of authentication Authentication weaknesses Authorization and Access Control Authorization 101 Horizontal & vertical privilege escalation Access controls common techniques Session Management Session 101 Hijacking sessions Session ID weaknesses CSRF Session management best practices Data Validation Methods of validation Cross-site scripting SQL injection Data encoding issues Parameter manipulation Cryptography Basics of cryptography Random numbers Hashing of data About SSL and weak encryption Misc. Topics in Security Leakage and error handling Accountability 3rd party code File references

Defending.NET Applications (3 Days) In The Sage Group s Defending.NET Applications workshop, participants will gain valuable insight into developing secure Microsoft.NET applications for the.net framework up to 4.5. The workshop will assist participants in understanding web application attacks and how they occur due to insecure coding practices. Participants will then see how to employ.net secure coding techniques to defend against these coding defects. Participants will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice. Participants completing this class will find their secure coding abilities materially sharpened and able to integrate these techniques in your organization. Topics covered Defending CSRF Non-tokenizer pattern CSRF in.net Anti-CSRF tokens Generating a token Implementing Anti-CSRF Defending Forced Browsing Downloading arbitrary files Forced Browsing Indirect Access Maps Creating mappings Implementing access maps Defending Insecure Storage Storing information Managing keys

Defending.NET Applications (cont) Salting Hashses Problem with hashes Adding a salt PBKDF2 Deriving a key from password Implementing RFC2898 AES encryption Encrypting files with PBKDF2 Decrypting files Defending Redirects Tampered query strings Unchecked redirect URL mapping GUIDs mapped to URLs Defending SQL Injection Listing customer tables SQL injection tampering Bind parameters Changing the secure query Implementing bind parameter Defending XSS Insecure output XSS Escaping AntiXSS and encoder Importance of context Defending Authorization/Sessions Sessions Session timeout Configuring timeouts Contained based authorization Modifying web config Autocomplete

Defending PHP Applications (2 Days) In The Sage Group s Defending PHP Applications workshop, participants will gain valuable insight in to developing secure PHP5 applications. The workshop will show participants the latest in webbased threats and how participants should go about defending them. Participants will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and build safer web applications from the start. Participants completing this class will find their secure coding abilities materially sharpened and able to integrate these techniques in your organization. Introduction OWASP Top 10 Defending PHP5 SQL Injection About SQL injection Real-time example Newsflash Parameterized queries Cross-site Scripting About XSS Blacklist validation Whitelist validation Safe re-encoding Safe vs unsafe HTTPonly Session Hijacking About session hijacking Stealing credentials Encryption Short session timeouts Parameter Manipulation About parameter manipulation Server-side validation Session variables Insecure Storage About insecure storage Sensitivity of information Threat modeling Hashing passwords Forcible Browsing About forcible browsing Page level authorization Programmed authorization Cross-site Request Forgery About XSRF Meg goes shopping Decreasing timeouts XSRF tokens Re-authentication Insecure Configuration About insecure configuration Users, software Hardening Standardized builds Patch management Updates and audits Unchecked redirects About unchecked redirects Newsflash Validating parameters Server-side checks Clear-Text Communication About clear-text communication Eavesdropping Newsflash Encryption in transit Proper SSL implementations SQL Injection Defenses Parameterized queries in PHP MySQL PHP data objects XSS Defenses Whitelisting Output re-encoding in PHP HTTP Only in PHP Session Hijacking Defenses SSL Encryption Shorter session timeouts Parameter Manipulation Defenses Security logic Regular expressions Centralized validation Insecure Storage Defenses MCrypt library Hashing Storing passwords with Bcrypt Forcible Browsing Defenses Access controls Programmed authorization XSRF Defenses Best practices XSRF tokens Insecure Configuration Defenses Register globals Error reporting and trace Logging Safe mode Magic quotes Session management Unchecked Redirects PHP header redirects Indirect object mapping in PHP Clear-Text communication Enabling encryption Enforcing strong ciphers

Mobile Hacking and Securing (2 Days) In The Sage Group s Mobile Hacking and Securing workshop, participants will discover mobile hacking techniques for Android and ios. They will understand the platform security models, device security models, app analysis, file system analysis and runtime analysis for these popular mobile operating systems. This workshop will provide participants with the knowledge necessary to assess mobile app security including what hackers look for in mobile apps. Hacking apps themselves will equip them with the skills required to protect their own apps from attacks. Participants will come out with an understanding of the pitfalls to mobile device security and the importance of developing mobile apps securely. They will learn the concepts necessary to securely develop mobile in your organization. Introduction The mobile landscape Device Security Model Mobile OS security models App distribution models Sandboxing and permissions structure Differences from iphone/android platforms The risk of users who trust apps too much Common attack vectors in mobile security Protocol Analysis Proxying Android / iphone Handling SSL certificate trust Emulator & simulator proxying Physical device proxying Tools required for intercepting traffic LAB: Proxying mobile app traffic LAB: Mobile traffic manipulation Device File System Analysis Android file system analysis Using android debugging bridge Retrieving files from the device iphone file system analysis SSH access to iphone SCP to retrieve files from device LAB: Insecure file storage Common data storage types for mobile OS Logging for developers Assessing logs on Android/iPhone LAB: Insecure logging Mobile App Decompilation Android APK packaging Application layout Android manifest and permissions Disassembly and decompilation LAB: Basic encryption iphone IPA packaging

Mobile Hacking and Securing (cont) Handling plists Assessing the binary LAB: Advanced encryption Mobile Run-time Analysis Why runtime analysis? Debugging as an attack vector Rooting and jailbreak of devices Accessing Android memory at runtime DDMS and MAT LAB: Dumping memory iphone debugging Other Mobile Topics Mobile cryptography Password based key derivation LAB: Password complexity Jailbreak detection State of mobile malware Mobile malware defense Mobile Run-time Analysis Why runtime analysis? Debugging as an attack vector Rooting and jailbreak of devices Accessing Android memory at runtime DDMS and MAT LAB: Dumping memory iphone debugging Multi-platform Development Why multiplatform? How wrapper APIs work HTML5 codebase concerns PhoneGap example Implications to JavaScript bridging Native features through JS JS to native API in ios/android Dynamic loading and minification LAB: HTML at rest Mobile HTML5 Web HTML5 mobile apps Clickjacking Framebusting X-FRAME-OPTIONS Tapjacking Android defenses SQL Injection (local vs mobile) Parameterized SQL XSS Existing XSS mobile exploits JS bridging concerns Safe output encoding Securing WebView Local storage Use of local storage Securing local storage Device API Weaknesses SSL Android / ios SSL best practice Weak ciphers XML Parsing Prevalence in Android/iOS External entity references Virtual Keyboards ios keyboard cache Android 3rd party keyboards PIN entry Copy and Paste ios UIPasteboard Android ClipboardManager Trouble with WebView ios Snapshots Preventing insecure snapshots Good backgrounding Geolocation ios / Android geolocation management Address Book API Privacy URL Handlers / IPC ios URL schemes Skype vulnerability Android intent filters / IPC LAB: URLs handlers to XSS Other Mobile Topics Endpoint Security Weak SSL Securing cookies Mobile Cryptography Password based key derivation LAB: Password complexity Jailbreak detection State of mobile malware Mobile malware defense Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com C8: Enterprise Security

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information