Recommended
More Related Content
What's hot
What's hot (20)
Similar to Secure Application Development Training
Similar to Secure Application Development Training (20)
Recently uploaded
Recently uploaded (20)
Secure Application Development Training
- 1. Secure Web Application Development Training w w w . p i v o t a l s e c u r i t y . c o m Pivotal Security LLC 14006 SE 6th ST #9 Bellevue, WA 98007 USA Phone (425) 686-9695 Email info@pivotalsecurity.com Page 1 of 5
- 2. Introduction Every year, billions of dollars are wasted in responding to information security related incidents. What if these incidents can be prevented at first place? Most of the vulnerabilities in software can be prevented by getting to know how to design and develop secure software. In addition to providing security consulting services like code review, threat modeling and penetration testing, Pivotal Security also provides secure application development training. Why Pivotal Security training? In contrast to “canned” approach, Pivotal Security customizes security training for your development team. We first work with you to understand various aspects of application development like methodology (waterfall, agile etc), complier and tools, testing and release process etc and then prepare a custom plan for training. This makes our training precise and provides much more value to attendees. Structure of the course Understanding different types of vulnerabilities Understanding solutions and platform (.NET, Java etc) features for remediation Demos of vulnerabilities and countermeasures Hands on project and Q&A What attendees say A fabulous Your session was presentation on Web very good. time. App Security. “I’m inspired” It’s really good I would like to express my thanks for such wonderful knowledge It was very useful. Pivotal Security | Introduction 2
- 3. Course Content Fundamentals Understand Common Attack Patterns (OWASP Top 10 for 2010) o A1: Injection o A2: Cross-Site Scripting (XSS) o A3: Broken Authentication and Session Management o A4: Insecure Direct Object References o A5: Cross-Site Request Forgery (CSRF) o A6: Security Misconfiguration o A7: Insecure Cryptographic Storage o A8: Failure to Restrict URL Access o A9: Insufficient Transport Layer Protection o A10: Unvalidated Redirects and Forwards Authentication Basics and how to design secure authentication protocols How to securely design “Forgot Password” (credential retrieval) functionality Understand different forms/types of authentication (Kerberos, NLM etc) Securely storing and managing credentials Authentication Design Guidelines Session management threats and guidelines Authorization Principle of Least Privilege Resource Based Authorization Role Based Authorization Resource Access Patterns o Trusted Sub-system model o Impersonation / Delegation model Cryptography Symmetric Encryption Asymmetric Encryption Hashing Applications of Cryptography o HMAC o Digital Signatures o SSL Secure confidential / critical data o At rest: In a database, on a file-system Pivotal Security | Course Content 3
- 4. o In transit: Over the network (internet, intranet etc) Secure storage of application configuration data Input Handling Input Validation Principles Consequences of Inappropriate Input Handling (demo and remediation techniques) o Cross-Site Scripting (XSS) o SQL Injection o One-Click Attacks o XML and XPath Injection o LDAP Injection o Response Splitting o Buffer overflows o Canonicalization issues o Unsafe file upload / creation o And many more… Error and Exception Handling Exception management Threats Exception management guidelines Logging and Auditing Logging Auditing What / When and Where to log Pivotal Security | Course Content 4
- 5. About Us Pivotal Security offers Information Security consulting and training services. We operate from Seattle, WA in USA and from Hyderabad, AP in India. Pivotal Security’s core team members have experience working at MNC’s including Microsoft and Honeywell and have provided consulting to government and private companies. The Core Team Gaurav Kumar, CISSP Founder Gaurav has over 7 years of experience in Information Security. He has worked with Honeywell Labs (Bangalore, India) where he was Senior Application Security Engineer responsible for securing Honeywell’s mission critical applications. During his term, he co- authored a patent on wireless security, received several awards like Technical Excellence and Team Excellence award and was certified Green Belt in Six Sigma processes. He later on worked with Microsoft (Hyderabad, India) as Security Consultant where he provided application security services to Microsoft Enterprise Customers in US and Asia. He was a guest trainer for OWASP 2008 New Delhi Conference and Training where he delivered training on how to develop secure .NET applications. For his contributions, he received Services Rock Star award by Microsoft. He moved to Redmond, USA to work at Microsoft headquarters as IT Audit Manager where was responsible for auditing IT systems of Microsoft and its subsidiaries worldwide. In June 2010, he founded Pivotal Security LLC to provide information security consulting services. Sachin Rawat, CISSP Partner (India operations) Sachin Rawat is an Information Security expert and B.Tech. (CSE) from IIIT-Hyderabad. He has been among top 10 winners out of 50,000 participants in a security competition organised by Microsoft. Prior to founding Viantra, he worked with ACE Security Team , a premier Information Security team at Microsoft where provided application and infrastructure security assessment and consulting services to business units within Microsoft and its clients. His responsibilities included: He has reviewed over 70 Line-Of-Business applications built across Microsoft and has delivered security trainings to 700+ Microsoft FTEs over multiple sessions. He has also delivered training sessions to 1100+ participants from Government and IT Companies across various training events. Pivotal Security | About Us 5