WEBAP - Web Application Security Training Course

Android serves as an open platform for mobile devices, including smartphones and tablets. While it offers a broad range of security features to facilitate the development of secure software, it also lacks certain security aspects found in other handheld platforms. This course provides a comprehensive overview of these features, highlighting critical shortcomings related to the underlying Linux system, the file system, and the general environment. It also addresses issues associated with permission management and other Android software development components.

Typical security pitfalls and vulnerabilities are examined for both native code and Java applications, alongside recommendations and best practices to prevent and mitigate them. Many of the discussed issues are supported by real-life examples and case studies. Finally, we provide a brief overview on utilizing security testing tools to identify security-related programming bugs.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about Android security solutions
• Learn to utilize various security features of the Android platform
• Gain insight into recent Java vulnerabilities on Android
• Understand typical coding mistakes and how to avoid them
• Gain understanding of native code vulnerabilities on Android
• Realize the severe consequences of insecure buffer handling in native code
• Understand architectural protection techniques and their weaknesses
• Obtain resources and further reading on secure coding practices

Audience

Professionals

Implementing a secure networked application can be challenging, even for developers who have previously used various cryptographic building blocks (such as encryption and digital signatures). To help participants grasp the role and usage of these cryptographic primitives, the course first establishes a solid foundation on the main requirements of secure communication – secure acknowledgement, integrity, confidentiality, remote identification, and anonymity – while also presenting typical problems that can compromise these requirements along with real-world solutions.

As cryptography is a critical aspect of network security, the course discusses the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement. Instead of presenting an in-depth mathematical background, these elements are discussed from a developer's perspective, showing typical use-case examples and practical considerations related to the use of crypto, such as public key infrastructures. Security protocols in many areas of secure communication are introduced, with an in-depth discussion on the most widely-used protocol families such as IPSEC and SSL/TLS.

Typical crypto vulnerabilities are discussed both related to certain crypto algorithms and cryptographic protocols, such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE and similar, as well as the RSA timing attack. In each case, the practical considerations and potential consequences are described for each problem, again, without going into deep mathematical details.

Finally, as XML technology is central for data exchange by networked applications, the security aspects of XML are described. This includes the usage of XML within web services and SOAP messages alongside protection measures such as XML signature and XML encryption – as well as weaknesses in those protection measures and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand basic concepts of security, IT security and secure coding
• Understand the requirements of secure communication
• Learn about network attacks and defenses at different OSI layers
• Have a practical understanding of cryptography
• Understand essential security protocols
• Understand some recent attacks against cryptosystems
• Get information about some recent related vulnerabilities
• Understand security concepts of Web services
• Get sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course provides an introduction to safeguarding C/C++ code against malicious actors who might exploit vulnerabilities related to memory management and input handling. The training focuses on the core principles of developing secure code.

Even seasoned Java developers do not necessarily master every security service provided by Java, nor are they always fully aware of the various vulnerabilities relevant to Java-based web applications.

Beyond introducing the security components of Standard Java Edition, this course addresses security challenges in Java Enterprise Edition (JEE) and web services. The discussion of specific services is preceded by an exploration of the foundations of cryptography and secure communication. Practical exercises cover both declarative and programmatic security techniques in JEE, while the course examines transport-layer and end-to-end security for web services. Participants will engage in hands-on exercises to explore the discussed APIs and tools firsthand.

The course also examines and explains the most common and severe programming flaws in the Java language and platform, along with web-related vulnerabilities. In addition to typical errors made by Java developers, the introduced security vulnerabilities encompass both language-specific issues and problems arising from the runtime environment. All vulnerabilities and their associated attacks are demonstrated through clear, practical exercises, followed by recommended coding guidelines and potential mitigation strategies.

Participants attending this course will

• Grasp the fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and understand how to avoid them
• Comprehend the security concepts underpinning web services
• Gain proficiency in utilizing various security features within the Java development environment
• Develop a practical understanding of cryptography
• Understand the security solutions offered by Java EE
• Identify typical coding mistakes and learn how to prevent them
• Gain insight into recent vulnerabilities within the Java framework
• Acquire practical knowledge of security testing tools
• Receive resources and further reading materials on secure coding practices

Audience

Developers

Description

The Java language and the Java Runtime Environment (JRE) were designed to be free from the most problematic common security vulnerabilities experienced in other languages, like C/C++. Yet, software developers and architects should not only know how to use the various security features of the Java environment (positive security), but should also be aware of the numerous vulnerabilities that are still relevant for Java development (negative security).

The introduction of security services is preceded with a brief overview of the foundations of cryptography, providing a common baseline for understanding the purpose and the operation of the applicable components. The use of these components is presented through several practical exercises, where participants can try out the discussed APIs for themselves.

The course also goes through and explains the most frequent and severe programming flaws of the Java language and platform, covering both the typical bugs committed by Java programmers and the language- and environment-specific issues. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security and secure coding
• Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
• Learn to use various security features of the Java development environment
• Have a practical understanding of cryptography
• Learn about typical coding mistakes and how to avoid them
• Get information about some recent vulnerabilities in the Java framework
• Get sources and further readings on secure coding practices

Audience

Developers

Today, numerous programming languages allow code to be compiled for the .NET and ASP.NET frameworks. While the environment offers robust capabilities for security development, it is essential for developers to master architecture-level and coding-level techniques to implement desired security functionalities, prevent vulnerabilities, and mitigate their potential exploitation.

This course aims to equip developers with the skills to prevent untrusted code from executing privileged actions, protect resources via robust authentication and authorization mechanisms, manage remote procedure calls and sessions, and explore various implementation strategies through extensive hands-on exercises.

The curriculum introduces vulnerabilities by examining typical programming pitfalls associated with .NET. The discussion on ASP.NET vulnerabilities addresses various environment configurations and their impact. Furthermore, the topic of ASP.NET-specific vulnerabilities covers general web application security challenges, alongside specialized issues such as ViewState attacks and string termination exploits.

Participants attending this course will

• Grasp the fundamental concepts of security, IT security, and secure coding practices
• Identify web vulnerabilities beyond the OWASP Top Ten and learn how to avoid them
• Utilize various security features within the .NET development environment
• Acquire practical knowledge in employing security testing tools
• Recognize common coding errors and understand how to prevent them
• Stay informed about recent vulnerabilities in .NET and ASP.NET
• Access sources and further reading materials on secure coding practices

Audience

Developers

This course introduces fundamental security concepts, providing an overview of vulnerabilities that transcend specific programming languages and platforms. It explains how to manage software security risks across all phases of the software development lifecycle. Rather than delving into intricate technical details, the course highlights the most prevalent and impactful vulnerabilities in various development technologies. It also outlines the challenges associated with security testing, offering techniques and tools to help identify existing issues within your code.

Participants attending this course will

• Grasp basic concepts of security, IT security, and secure coding
• Understand web vulnerabilities affecting both server and client sides
• Appreciate the serious consequences of improper buffer handling
• Stay informed about recent vulnerabilities in development environments and frameworks
• Learn about common coding errors and strategies to avoid them
• Comprehend security testing approaches and methodologies

Audience

Managers

This course equips PHP developers with essential skills to protect their applications against modern Internet-based threats. It explores web vulnerabilities through practical PHP examples, extending beyond the OWASP Top Ten to address various injection attacks, script injections, session handling flaws, insecure direct object references, file upload issues, and more. PHP-related vulnerabilities are categorized into standard types such as missing or improper input validation, incorrect error and exception handling, misuse of security features, and time- or state-related problems. Specific examples include open_basedir circumvention, denial-of-service attacks via magic floats, and hash table collision attacks. In each case, participants will learn key techniques and functions to mitigate these risks.

A significant emphasis is placed on client-side security, addressing vulnerabilities in JavaScript, Ajax, and HTML5. The course introduces several PHP security extensions, including hash, mcrypt, and OpenSSL for cryptography, as well as Ctype, ext/filter, and HTML Purifier for input validation. Best practices for hardening are covered in the context of PHP configuration (php.ini), Apache, and general server settings. Additionally, the course provides an overview of security testing tools and techniques for developers and testers, including security scanners, penetration testing, exploit packs, sniffers, proxy servers, fuzzing tools, and static source code analyzers.

Both the introduction of vulnerabilities and configuration practices are reinforced with hands-on exercises. These demonstrate the impact of successful attacks, show how to implement mitigation strategies, and introduce the use of various extensions and tools.

Participants attending this course will

• Gain a solid understanding of security concepts, IT security, and secure coding principles
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to prevent them
• Understand client-side vulnerabilities and adopt secure coding practices
• Develop a practical grasp of cryptography
• Learn to utilize various PHP security features effectively
• Identify common coding errors and understand how to avoid them
• Stay informed about recent vulnerabilities in the PHP framework
• Acquire practical experience with security testing tools
• Access resources and further reading on secure coding practices

Audience

Developers

This comprehensive core training offers an in-depth look at secure software design, development, and testing through the lens of the Microsoft Secure Development Lifecycle (SDL). It begins with a level 100 overview of the fundamental building blocks of the SDL, followed by design techniques aimed at detecting and remedying flaws during the early stages of the development process.

Focusing on the development phase, the course provides an overview of common security-related programming bugs found in both managed and native code. The curriculum presents attack vectors associated with these vulnerabilities, alongside their corresponding mitigation techniques, all illustrated through numerous hands-on exercises that offer participants practical, live hacking experience. Following the introduction to various security testing methods, the effectiveness of different testing tools is demonstrated. Participants gain a clear understanding of how these tools operate through practical exercises, applying them to the vulnerable code examples discussed throughout the course.

Participants attending this course will

Understand the fundamental concepts of security, IT security, and secure coding

Become familiar with the essential steps of the Microsoft Secure Development Lifecycle

Learn secure design and development practices

Learn about secure implementation principles

Understand security testing methodology

• Access sources and further reading materials on secure coding practices

Audience

Developers, Managers

Upon gaining familiarity with vulnerabilities and attack vectors, participants will explore the general approach and methodology for security testing, along with the techniques used to uncover specific weaknesses. The process begins with information gathering regarding the system under evaluation (ToC), followed by comprehensive threat modeling to identify and prioritise all threats, ultimately leading to a risk analysis-driven test plan.

Security assessments occur at various stages of the SDLC. We examine design reviews, code reviews, reconnaissance, and information gathering about the system, as well as testing the implementation and hardening the environment for secure deployment. Detailed introductions are provided for various security testing techniques, including taint analysis, heuristic-based code review, static code analysis, dynamic web vulnerability testing, and fuzzing. Participants are introduced to a range of tools designed to automate the security evaluation of software products. This theoretical knowledge is reinforced through practical exercises where these tools are used to analyse previously discussed vulnerable code. Real-world case studies further aid in understanding diverse vulnerability types.

This course equips testers and QA staff with the ability to effectively plan and execute security tests, select and utilise appropriate tools and techniques to detect even concealed security flaws, and acquire essential practical skills applicable from the very next working day.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to prevent them
• Gain knowledge of client-side vulnerabilities and secure coding practices
• Comprehend security testing approaches and methodologies
• Acquire practical experience with security testing techniques and tools
• Access resources and further reading materials on secure coding practices

Audience

Developers, Testers

Protecting web-accessible applications demands security professionals who are thoroughly prepared and continuously aware of current attack vectors and trends. A wide array of technologies and environments supports the comfortable development of web applications. It is essential to be cognisant not only of security issues specific to these platforms but also of general vulnerabilities that apply irrespective of the development tools used.

This course provides an overview of applicable security solutions for web applications, with a special emphasis on understanding key cryptographic mechanisms. Various web application vulnerabilities are presented for both server-side (following the OWASP Top Ten) and client-side contexts, demonstrated through relevant attacks, and followed by recommended coding techniques and mitigation methods to avoid these issues. The topic of secure coding is concluded by discussing typical security-related programming errors, particularly regarding input validation, improper use of security features, and code quality.

Testing plays a critical role in ensuring the security and robustness of web applications. Various approaches – from high-level auditing and penetration testing to ethical hacking – can be employed to identify vulnerabilities of different types. However, to move beyond easily discoverable low-hanging fruit, security testing must be well-planned and properly executed. Remember: security testers should ideally find all bugs to protect a system, whereas adversaries need only find one exploitable vulnerability to gain access.

Practical exercises will aid in understanding web application vulnerabilities, programming mistakes, and, most importantly, mitigation techniques. Through hands-on trials with various testing tools – ranging from security scanners, sniffers, and proxy servers to fuzzing tools and static source code analyzers – this course delivers the essential practical skills that can be applied in the workplace the very next day.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Learn about client-side vulnerabilities and secure coding practices
• Gain a practical understanding of cryptography
• Understand security testing approaches and methodologies
• Acquire practical knowledge in using security testing techniques and tools
• Stay informed about recent vulnerabilities in various platforms, frameworks, and libraries
• Access resources and further reading on secure coding practices

Audience

Developers, Testers

In this instructor-led, live course in Portugal, participants will learn how to formulate an effective security strategy to address the challenges of DevOps security.

The EC-Council Certified DevSecOps Engineer (ECDE) is a practical course designed to empower professionals with the expertise needed to embed security throughout the DevOps lifecycle, thereby facilitating secure software development from the initial planning stages through to deployment.

This instructor-led live training, available both online and onsite, is tailored for intermediate-level software and DevOps professionals who aim to integrate robust security practices into their CI/CD pipelines, ensuring that code delivery is both secure and compliant.

Upon completion of this training, participants will be capable of:

• Grasping the core principles and practices of DevSecOps.
• Securing all stages of the CI/CD pipeline using automated tools.
• Implementing secure coding standards and vulnerability scanning techniques.
• Preparing for the ECDE certification through practical labs and comprehensive reviews.

Course Format

• Interactive lectures and discussions.
• Practical application of DevSecOps tools within simulated pipelines.
• Guided exercises focused on secure development and deployment strategies.

Customization Options

• To arrange a customized training session tailored to your team’s specific workflows or toolchain, please contact us to coordinate.

This course in Portugal aims to assist with the following:

1. Help developers master the techniques of writing secure code
2. Help software testers assess the application's security before it is published to the production environment
3. Help software architects understand the risks associated with applications
4. Help team leaders establish security baselines for developers
5. Help web masters configure servers to avoid misconfigurations

This course explores secure coding principles and practices for Java, utilizing the testing methodologies established by the Open Web Application Security Project (OWASP). The Open Web Application Security Project is a vibrant online community dedicated to producing freely accessible articles, methodologies, documentation, tools, and technologies focused on web application security.