Workshop: Attack and Defense: API and Web Application Security

The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application/API developers, architects and Q/A staff. Both attack and defense theory will be covered.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to both code secure web solutions via defense-based code samples and conduct penetration testing.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. We will utilize a series of professional tools and techniques used to test the security of your application. This course will include security information for Java, PHP, Python, Javascript, and .NET programmers, but any Q/A professional or software developer building web applications and webservices will benefit.

Student Requirements
Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Computer setup
Any laptop that can run an updated web browser and "Burp Community Edition".

Day 1 of the course will focus on web application basics.

  • Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • SQL and other Injection
  • Cross-Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017

Day 2 of the course will focus on API secure coding, Identity, and other advanced topics.

  • Webservice, Microservice and REST Security
  • Authentication and Session Management
  • Access Control Design
  • OAuth 2 Security
  • HTTPS/TLS Best Practices
  • 3rd Party Library Security Management
  • Application Layer Intrusion Detection

The course will include several hacking and secure coding labs!