New OWASP Top 10 - Exploitation and Effective Safeguards [Day 2 of 2] presented at owaspapseccalifornia 2018

by Jim Manico,

Summary : Please note: Training Sessions are not included in the Conference price. Sign up now! Check for availability and pricing on Eventbrite.Course Abstract:The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks. Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.Course Objectives:- Understand how hackers attack web applications in order to better defend them- Learn how to test your own web application- Which security safeguards are truly effective (and which ones are not)- Understand secure coding best practicesTraining Outline:1. OWASP Top 10 web app vulnerabilities: A1 - Injection (Command Injection, SQL Injection) A2 - Broken Authentication A3 - Sensitive Data Exposure A4 - XML External Entities (XXE) A5 - Broken Access Control A6 - Security Misconfiguration A7 - Cross-Site Scripting (XSS) A8 - Insecure Deserialization A9 - Using Components with Known Vulnerabilities A10 - Insufficient Logging and Monitoring2. Password Management3. Secure Coding Best Practices4. HTTPS Best Practices5. Using a Vulnerability Proxy… and much more!Hands-on Exercises:1. Input Validation2. Cross Site Scripting Filter Bypass3. Online Password Guessing Attack4. Account Harvesting5. Injection Attacks6. Using a Web Application Vulnerability Proxy… and much more!Upon the completion of this training, attendees will know:- Most critical web application vulnerabilities- Secure coding best practices- How to use common security assessment toolsAttendees will be provided with (by trainer):- The slides in raw PPT format- Access to the online lab environment during and after class- “cheat mode” that reveals all answers will be enabled after classAttendees should bring:Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.Prerequisites for attendees:This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.