Offensive Perspective - OWASP Security for Developers

Develop ”Out-of-box” thinking related to web secure codin and see security from offensive perspective

Ratings: 4.41 / 5.00




Description

You will learn to protect your web application by attacking it, by performing penetration testing on it. This course is rather theoretical with only some labs and demos.


Objectives

  • Develop ”Out-of-box” thinking

  • See security from an offensive perspective

  • Learn best security practices and (most and less) common attacks

  • Learn to defend your applications and infrastructure

Topics

  • Overview of Web Penetration Testing

  • OWASP Top Ten Web Vulnerabilities

  • API Top Ten vulnerabilities

  • HTTP Security Headers

  • JSON Web Tokens

  • Technical measures and best practices

  • Cryptography

Overview of Web Penetration Testing

  • Core problems

  • Web Technologies basics

  • Security Audit vs Vulnerability Assessment vs Pentest

  • Information Gathering

  • Scanning and Enumeration

  • Mapping the target surface

  • Attacking Users. Cross Site Scripting

  • Attacking the Server

  • Attacking Authentication

  • Attacking Data Stores

Top 10 API Security Vulnerabilities

  • API Vulnerabilities

  • Examples of vulnerabilities found in publicly accessible applications

OWASP Top Ten Web Vulnerabilities

  • A1: Injection

  • A2 – Broken Authentication and Session Management

  • A3 – Cross-Site Scripting (XSS)

  • A4 – Insecure Direct Object References

  • A5 – Security Misconfiguration

  • A6 – Sensitive data Exposure

  • A7 – Missing Function Level Access Control

  • A8 – Cross-Site Request Forgery (CSRF)

  • A9 – Using Components with Known Vulnerabilities

  • A10 – Unvalidated Redirects and Forwards

  • New Addition in OWASP TOP 10 - 2017

  • A4 - XML External entities (XXE)

  • A5 – Broken Access Control

  • A8 – Insecure Deserialization

  • A10 - Insufficient Logging & Monitoring

  • New additions in 2021

  • Common Vulnerabilities: XSS, SQL Injection, CSRF, XXE, LFI

HTTP Security Headers

  • Understand HTTP Security Tokens and their role

  • HSTS - Strict-Transport-Security

  • CSP - Content-Security-Policy

  • CORS

  • X-Frame-Options

  • X-XSS-Protection

  • X-Content-Type-Options

  • Referrer-Policy

  • Cookie flags: HTTPOnly, Secure

JSON Web Tokens

  • Understanding JSON WEB TOKENS

  • Token Structure

  • When can you use JWT

  • Issues

  • What is JWT good for?

  • Best Practices for JSON Web Tokens

Technical measures and best practices

  • Input Validation

  • Encoding

  • Bind Parameters for Database Queries

  • Protect Data in Transit

  • Hash and Salt Your Users' Passwords

  • Encrypt Data at Rest

  • Logging - Best practices

  • Authenticate Users Safely

  • Protect User Sessions

  • Authorize Actions

Cryptography

  • Cryptographic concepts

  • Algorithms

  • Cryptography and cryptanalysis tools

  • Cryptography attacks

What You Will Learn!

  • Best practices when it comes to secure coding for web developers
  • OWASP Top 10 Web vulnerabilities
  • "Out-of-box thinking" when it comes to exploiting certain vulnerabilities
  • Learn certain tools and frameworks for offensive perspective

Who Should Attend!

  • Developers, Dev(Sec)Ops and software architects mostly
  • Also useful for system administrators, technical managers and CISO
  • Ethical Hackers, Penetration Testers, Bug Bounty Fans