trainocate-cyber-security
Home > Vendors > cybersecurity > csd

CSD - Certified Secure Developer

Overview

Duration: 3.0 days

Rising Security Exploits: The Cost of Ignoring Secure Development Processes.

Only careful design and coding can protect today’s business applications. Most programmers, content managers and webmasters understand very little about secure development processes. Instead, they rely on network firewalls for security. Unfortunately, these firewalls cannot distinguish between legitimate application traffic and packets from a hacker intended to subvert the unprotected logic of the software.

Just as importantly, the network mechanisms cannot classify sensitive data (e.g., account names, credit card numbers or passwords) passed from the application to unauthorized individuals. Thus, much software represents a “ticking time bomb” to the organization, vulnerable to a wide variety of attacks used to vandalize, disable or subvert their intended service.

Over the past two years, there has been a sharp rise in security exploits against vulnerable application software. Many companies devote substantial resources to auditing their business applications. These same companies then spend money and time fixing the problems identified. Even worse, most companies expend much greater resources responding to attacks against vulnerable software. Often, these weaknesses cannot be identified during post-development audits, so companies spend twice.

Objectives

  • Web Application – Security Basics
  • Principles of Secure Development
  • OWASP & SANS Top Web Application Vulnerabilities – Attacks & Defenses
  • Application Security Testing

Content

Module 1: Web Application – Security Basics

  • What is Security?
  • What is Secure Coding ?
  • Why Anti-virus, Firewall, IPS, IDS is not enough to stop application hacking?
  • Why do you need a Web Application Firewall?
  • Protocol Basics of HTTP and HTTPS
  • Stateless protocol
  • Why Cookies and/or Sessions are an integral part of web applications?
  • Issues in the protocol structures of web
  • A Holistic approach to Security
  • Secure the Network, Host & Application
  • Cyber Kill Chain
  • Web application Security Landscape
  • RACI Matrix
  • Application Vulnerability Attacks (Case Study and Discussion)

Module 2: Threat Modeling

  • Introduction to Threat Modeling
  • STRIDE Threat Model
  • PASTA Threat Model
  • LINDDUN Threat Model
  • CVSS Threat Model
  • Security Architecture Design Principles : Security by Design, Privacy by Design
  • Threat Modeling an application using STRIDE tool: DEMO

Module 3 : Principles of Secure Development

The 8 Principles of Secure Development are basic foundation blocks for Secure Programming. Generally, these 8 principles are not followed during the Software Development process resulting in applications with tons of vulnerabilities that are easily exploited by hackers/intruders

  • Input Validation,
  • Output Validation,
  • Error Handling,
  • Authentication and Authorization,
  • Session Management,
  • Secure Communications,
  • Secure Storage and
  • Secure Resource Access

Module 4: OWASP & SANS Top Web Application Vulnerabilities – Attacks & Defenses

Hands-on Labs on Attacks and Defenses :

  • SQL Injection,
  • Cross Site Scripting,
  • Cross Site Request Forgery,
  • LDAP Injection,
  • Command Injection,
  • Parameter/Form Tampering,
  • Payment Gateway hacking
  • XML external entities (XXE)
  • Improper Error Handling,
  • unvalidated Input,
  • Insecure deserialization
  • Directory Traversal,
  • Cookie Poisoning,
  • Insecure storage,
  • Information Leakage,
  • Denial of Service,
  • Broken access control
  • Log Tampering,
  • Broken Access Control,
  • Broken Session Management,
  • Session Fixation,
  • Security Misconfiguration.
  • File Upload and Download and many more

Module 5: Third Party Libraries and API Security

  • Advantages & Disadvantages
  • Wrapping Third Party API
  • Top 10 Third Party Libraries
  • API Security : Common Attacks and Defenses
  • API Security Tools

Module 6: Secure Code Testing

  • Static Application Security Testing
  • Dynamic Application Security Testing
  • Interactive Application Security Testing
  • Automatic and Manual Vulnerability Scanning with W3af, Wapiti, Nikto, BurpSuite, etc.
  • Password Cracking
  • HTTP DOS
  • Automated and Manual Exploitation of Web Vulnerabilities using tons of Scripts
  • Vulnerability Assessment reporting with Remediations and Mitigations

Audience

  • Security Software Developer

Prerequisites

There are no prerequisites required to attend this course.

Certification

Schedule




Enquire Now
yfFUWb
By clicking "Submit", I agree to the Terms Of Use and Privacy Policy