Training Developers to Build More Secure Web Applications

Transcription

Training Developers to Build More Secure Web Applications
A c c u v a n t
M a n a g e d
L A B S
S o l u t i o n s
Data Sheet
Web Application Security Education
Training Developers to Build More Secure
Web Applications
Accuvant’s Education Program Shares Coding Best Practices to Help Organizations
Minimize Vulnerabilities and Risk
In the rapidly evolving application security landscape, professionals in many roles –management, IT, information security,
and developers – all have an important part to play in securing web applications and reducing risk. This is primarily because
attackers search for vulnerabilities within these applications to steal data, hijack systems, or disrupt business.
While it is critical to find and fix vulnerabilities in already developed web applications, organizations can reduce their risk
by decreasing the volume of vulnerabilities before they are introduced. By arming their developers with industry best
practices to build more secure web applications, companies can help prevent an attack from ever occurring. However, many
organizations are challenged with training their teams of developers who work with various technologies and may be in
geographically disparate locations. This leaves many web applications susceptible to an attack.
Attendees of Accuvant’s
Web Application Security
Education courses:
Sharing Practical Knowledge with
Developers
To help you train your developers, Accuvant has created
its Web Application Security Education program, a series
of traditional instructor-led training (ILT) courses that
teach secure coding best practices. Each class is taught
by Accuvant LABS consultants who have analyzed and
secured the data assets of some of the world’s largest public
and private organizations and are recognized as industry
thought leaders. Extensive experience and ongoing, indepth research into the application security space allows our
consultants to deliver comprehensive and practical training
courses covering broad overviews. They also provide deepdives into core technologies such as C/C++, J2EE, .NET and
web services.
Learn how to identify and
fix website vulnerabilities
Discover which coding
errors make an organization
vulnerable to attack
Understand hacker’s tools
and techniques
In addition to providing ILT courses, we have partnered with
Security Compass, an information security consulting firm
that specializes in secure software development and training,
to deliver remote learning and computer-based training
(CBT) courses. The CBT program offers on-demand training,
so whenever your staff have time they are able to take the
course at their own pace and convenience. Regardless of the
size of your organization or development team, we can help
you meet your security training needs.
11 2 5 1 7 t h S t r e e t S u i t e 1 7 0 0 , D e n v e r , C O 8 0 2 0 2
Experience hands-on training using
real-world web applications
Learn how to make
code secure
|
800.574.0896
|
w w w. a c c u v a n t . c o m
Course
Intro to Web Application Security
Securing Web Applications in .NET
Web Application Security
Education for Developers
Prerequisites
– Must understand .NET framework and ASP.NET programming
– Familiarity with web application development (HTML, .NET framework)
– Comfort with Visual Studio
– Familiarity with Internet Information Services
– Familiarity with encryption and SSL is helpful but not required
Delivery
ILT
Beginner
CBT
ILT
Intermediate
Securing Web Applications in JAVA
Intermediate
Secure Coding C/C++
Secure Coding PHP
Intro to Web Application Security
This two-day beginner course is designed to implement
security as a culture amongst the developers and includes
a review of the secure coding guidelines for .NET as well
as .NET specific features like anti-XSS library. This highly
practical, interactive course focuses on secure coding
techniques and methodologies that can be immediately
applied in your applications. The class uses real-world
examples that walk through code samples using live,
feature-rich applications, and show how to hunt down,
debug, and mitigate flaws through better coding practices.
Level
CBT
ILT
Duration/Labs
2 days/4 hours
1 hour/self-paced
2 days/4 hours
Materials provided:
Instructor-Led
Training (IBT)
Class and labs manuals, use
of laptop with pre-loaded
materials during course
Computer-Based
Training (CBT)
Online: Polaris LMS system
or exportable to AICC/
SCORMM format for hosting
2 hour/self-paced
2 days/4 hours
CBT
2 hour/self-paced
Intermediate
CBT
1 hour/self-paced
Intermediate
CBT
1 hour/self-paced
Securing Web Applications in JAVA
Course Highlights
– Background
– Technologies
– Anatomy of an attack
–M
ost common web application attacks and vulnerabilities
–C
oncepts, examples, case studies, and scenarios for
each class of attack, including:
• XSS (Cross Site Scripting)
• SQL Injection
• Blind SQL Injection
• Authentication, Authorization and Session Attacks
• CSRF (Cross Site Request Forgery)
• Business Logic Flaws
• HTTP Response Splitting
– Solutions for protecting your applications
In this intermediate-level course, students gain valuable insight into
developing secure Microsoft .NET applications. The course helps
students understand web application attacks and how they occur due
to insecure coding practices. Students then see how we employ .NET
secure coding techniques to defend against these coding defects.
Students learn to define and identify secure code, differentiate between
secure coding methods, employ secure code in practice, and design and
judge effectiveness of secure coding practice. Students completing this
class find their secure coding abilities materially sharpened and are able
to integrate these techniques into your organization.
Prerequisites
– Must understand Java programming
– Familiarity with Web application development (HTML, servlets, .JSP) is required
– Comfort with any major Java IDE (NetBeans, IntelliJ, Eclipse, etc.) is required
– Familiarity with TomCat, or comparable servlet container, is required
Course Highlights
– Introduction
– Authentication
– Authorization and access control
– Session management
– Data validation
– Cryptography
–L
earn how hackers attack Web
applications
– Discover how these attacks work
–S
ee what coding mistakes make you
vulnerable
–L
earn how to make your code secure
– Familiarity with Java command line interface is required
– Familiarity with encryption and SSL is helpful but not required
Securing Web Applications in .NET
Course Highlights
In this intermediate-level course, students gain valuable insight
into developing secure Microsoft .NET applications. The course
helps students understand web application attacks and how they
occur due to insecure coding practices. Students then see how we
employ .NET secure coding techniques to defend against these
coding defects. Students learn to define and identify secure code,
differentiate between secure coding methods, employ secure code
in practice, and design and judge effectiveness of secure coding
practice. Students completing this class find their secure coding
abilities materially sharpened and are able to integrate these
techniques into your organization.
Prerequisites
– Must understand .NET framework and ASP.NET programming
– Familiarity with web application development (HTML, .NET framework)
– Comfort with Visual Studio
– Familiarity with Internet Information Services
– Familiarity with encryption and SSL is helpful but not required
– Introduction
– Illustrate how web applications are attacked
by hackers
– Show how these attacks work
– Show coding mistakes that make you
vulnerable to attacks
– Demonstrate how to make your code secure
– Authentication
– Authorization and access control
– Session management
– Data validation
Secure Coding C/C++
This intermediate-level course prepares students to develop secure applications in C
or C++. Students learn to define and identify secure code, differentiate between secure
coding methods, employ secure code in practice, and design and judge effectiveness
of secure coding practice. Students completing this class find their secure coding
abilities materially sharpened. The course focuses on learning by demonstration.
Throughout the course, vulnerability categories are explained, followed by real world
examples in popular applications. Risk is analyzed, and defense techniques are
identified for each vulnerability presented.
Prerequisites
– Knowledge of common application security vulnerabilities (e.g., OWASP Top 10) is mandatory
– Cryptography
– Understanding of C and C++ programming is recommended
– Miscellaneous topics in security
– Some experience or understanding of Internet Information Services is an asset
Course Highlights
– Introduction
– Memory organization
– Pointers
– Buffer overflows
– Format strings
– System calls
A c c u v a n t
M a n a g e d
L A B S
S o l u t i o n s
Data Sheet
Web Application Security Education
Secure Coding PHP
Course Highlights
In this intermediate-level course, students gain valuable insight into
developing secure PHP5 applications. The course shows students the latest
in web-based threats and teaches students how to go about defending
against them. Students learn to define and identify secure code, differentiate
between secure coding methods, employ secure code in practice, and build
safer web applications from the start. Students completing this class find their
secure coding abilities materially sharpened and are able to integrate these
techniques into your organization.
– Introduction
– SQL injection
– Cross-site scripting
– Session hijacking
– Parameter manipulation
– Insecure storage
– Forcible browsing
Prerequisites
– Must understand PHP programming
– Cross-site request forgery
– Familiarity with web application development
– Insecure configuration
– Unchecked redirects
– Clear-text communication
Contact Us
Contact
Us
Accuvant offers on-site education sessions for groups of 12 or more
students. We also can work with you to design custom training
courses that meet your unique needs. To learn more about Accuvant’s
Web Application Security Education program, please contact us at
[email protected].
About Accuvant
Accuvant is the only research-driven information security partner delivering alignment between IT security and business objectives, clarity to
complex security challenges, and confidence in complex security decisions.
Based on our clients’ unique requirements, Accuvant assesses, architects and implements the policies, procedures and technologies that most
efficiently and effectively protect valuable data assets.
Since 2002, more than 4,500 organizations, including half of the Fortune 100 and 800 federal, state and local entities, have trusted Accuvant with
their security challenges. Headquartered in Denver, Accuvant has offices across the United States and Canada. For more information, please visit
www.accuvant.com, follow us on Twitter: @Accuvant, or keep in touch via Facebook: http://tiny.cc/facebook553.
11 2 5 1 7 t h S t r e e t S u i t e 1 7 0 0 , D e n v e r , C O 8 0 2 0 2
|
800.574.0896
|
w w w. a c c u v a n t . c o m