Tuesday

Room 4

09:00 - 17:00 (UTC+02)

2 Days

Building Secure API's and Web Applications

The major cause of webservice, microservice, and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers.

Security
Web

The class is a combination of lectures, security testing demonstrations, code review, and interactive threat modeling discussions. Students will learn the most common threats against applications. More importantly, students will learn how to code secure software via a variety of techniques such as secure design practices, defense-based coding, the use of security libraries and services, and the use of a variety of web security standards.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks including Java, PHP, Python, Javascript, and .NET, but any developer building web applications and webservices will benefit from this class.

Student Requirements:

Familiarity with the technical details of building web applications and webservices from a software engineering point of view.

Laptop Requirements:

Any laptop that can run an updated web browser and "Burp Community Edition".

Day 1 of the course will focus on web application basics.

  • Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • Intro to Vue.JS Security
  • SQL and other Injection
  • Cross-Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017
  • OWASP ASVS

Day 2 of the course will focus on API secure coding, Identity, and other advanced topics.

  • Webservice, Microservice, and REST Security
  • Authentication and Session Management
  • Access Control Design
  • OAuth 2 Security
  • OpenID Connect Security
  • HTTPS/TLS Best Practices
  • 3rd Party Library Security Management
  • Application Layer Intrusion Detection
  • Secrets Management

The course will include several hacking and secure coding labs!

Jim Manico

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for Nucleus Security, BitDiscovery, SecureCircle, and Inspectiv. Jim is a frequent speaker on software security practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series. For more information, see https://www.linkedin.com/in/jmanico.