Training Developers to Build More Secure Web Applications
Transcription
Training Developers to Build More Secure Web Applications
A c c u v a n t M a n a g e d L A B S S o l u t i o n s Data Sheet Web Application Security Education Training Developers to Build More Secure Web Applications Accuvant’s Education Program Shares Coding Best Practices to Help Organizations Minimize Vulnerabilities and Risk In the rapidly evolving application security landscape, professionals in many roles –management, IT, information security, and developers – all have an important part to play in securing web applications and reducing risk. This is primarily because attackers search for vulnerabilities within these applications to steal data, hijack systems, or disrupt business. While it is critical to find and fix vulnerabilities in already developed web applications, organizations can reduce their risk by decreasing the volume of vulnerabilities before they are introduced. By arming their developers with industry best practices to build more secure web applications, companies can help prevent an attack from ever occurring. However, many organizations are challenged with training their teams of developers who work with various technologies and may be in geographically disparate locations. This leaves many web applications susceptible to an attack. Attendees of Accuvant’s Web Application Security Education courses: Sharing Practical Knowledge with Developers To help you train your developers, Accuvant has created its Web Application Security Education program, a series of traditional instructor-led training (ILT) courses that teach secure coding best practices. Each class is taught by Accuvant LABS consultants who have analyzed and secured the data assets of some of the world’s largest public and private organizations and are recognized as industry thought leaders. Extensive experience and ongoing, indepth research into the application security space allows our consultants to deliver comprehensive and practical training courses covering broad overviews. They also provide deepdives into core technologies such as C/C++, J2EE, .NET and web services. Learn how to identify and fix website vulnerabilities Discover which coding errors make an organization vulnerable to attack Understand hacker’s tools and techniques In addition to providing ILT courses, we have partnered with Security Compass, an information security consulting firm that specializes in secure software development and training, to deliver remote learning and computer-based training (CBT) courses. The CBT program offers on-demand training, so whenever your staff have time they are able to take the course at their own pace and convenience. Regardless of the size of your organization or development team, we can help you meet your security training needs. 11 2 5 1 7 t h S t r e e t S u i t e 1 7 0 0 , D e n v e r , C O 8 0 2 0 2 Experience hands-on training using real-world web applications Learn how to make code secure | 800.574.0896 | w w w. a c c u v a n t . c o m Course Intro to Web Application Security Securing Web Applications in .NET Web Application Security Education for Developers Prerequisites – Must understand .NET framework and ASP.NET programming – Familiarity with web application development (HTML, .NET framework) – Comfort with Visual Studio – Familiarity with Internet Information Services – Familiarity with encryption and SSL is helpful but not required Delivery ILT Beginner CBT ILT Intermediate Securing Web Applications in JAVA Intermediate Secure Coding C/C++ Secure Coding PHP Intro to Web Application Security This two-day beginner course is designed to implement security as a culture amongst the developers and includes a review of the secure coding guidelines for .NET as well as .NET specific features like anti-XSS library. This highly practical, interactive course focuses on secure coding techniques and methodologies that can be immediately applied in your applications. The class uses real-world examples that walk through code samples using live, feature-rich applications, and show how to hunt down, debug, and mitigate flaws through better coding practices. Level CBT ILT Duration/Labs 2 days/4 hours 1 hour/self-paced 2 days/4 hours Materials provided: Instructor-Led Training (IBT) Class and labs manuals, use of laptop with pre-loaded materials during course Computer-Based Training (CBT) Online: Polaris LMS system or exportable to AICC/ SCORMM format for hosting 2 hour/self-paced 2 days/4 hours CBT 2 hour/self-paced Intermediate CBT 1 hour/self-paced Intermediate CBT 1 hour/self-paced Securing Web Applications in JAVA Course Highlights – Background – Technologies – Anatomy of an attack –M ost common web application attacks and vulnerabilities –C oncepts, examples, case studies, and scenarios for each class of attack, including: • XSS (Cross Site Scripting) • SQL Injection • Blind SQL Injection • Authentication, Authorization and Session Attacks • CSRF (Cross Site Request Forgery) • Business Logic Flaws • HTTP Response Splitting – Solutions for protecting your applications In this intermediate-level course, students gain valuable insight into developing secure Microsoft .NET applications. The course helps students understand web application attacks and how they occur due to insecure coding practices. Students then see how we employ .NET secure coding techniques to defend against these coding defects. Students learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice. Students completing this class find their secure coding abilities materially sharpened and are able to integrate these techniques into your organization. Prerequisites – Must understand Java programming – Familiarity with Web application development (HTML, servlets, .JSP) is required – Comfort with any major Java IDE (NetBeans, IntelliJ, Eclipse, etc.) is required – Familiarity with TomCat, or comparable servlet container, is required Course Highlights – Introduction – Authentication – Authorization and access control – Session management – Data validation – Cryptography –L earn how hackers attack Web applications – Discover how these attacks work –S ee what coding mistakes make you vulnerable –L earn how to make your code secure – Familiarity with Java command line interface is required – Familiarity with encryption and SSL is helpful but not required Securing Web Applications in .NET Course Highlights In this intermediate-level course, students gain valuable insight into developing secure Microsoft .NET applications. The course helps students understand web application attacks and how they occur due to insecure coding practices. Students then see how we employ .NET secure coding techniques to defend against these coding defects. Students learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice. Students completing this class find their secure coding abilities materially sharpened and are able to integrate these techniques into your organization. Prerequisites – Must understand .NET framework and ASP.NET programming – Familiarity with web application development (HTML, .NET framework) – Comfort with Visual Studio – Familiarity with Internet Information Services – Familiarity with encryption and SSL is helpful but not required – Introduction – Illustrate how web applications are attacked by hackers – Show how these attacks work – Show coding mistakes that make you vulnerable to attacks – Demonstrate how to make your code secure – Authentication – Authorization and access control – Session management – Data validation Secure Coding C/C++ This intermediate-level course prepares students to develop secure applications in C or C++. Students learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice. Students completing this class find their secure coding abilities materially sharpened. The course focuses on learning by demonstration. Throughout the course, vulnerability categories are explained, followed by real world examples in popular applications. Risk is analyzed, and defense techniques are identified for each vulnerability presented. Prerequisites – Knowledge of common application security vulnerabilities (e.g., OWASP Top 10) is mandatory – Cryptography – Understanding of C and C++ programming is recommended – Miscellaneous topics in security – Some experience or understanding of Internet Information Services is an asset Course Highlights – Introduction – Memory organization – Pointers – Buffer overflows – Format strings – System calls A c c u v a n t M a n a g e d L A B S S o l u t i o n s Data Sheet Web Application Security Education Secure Coding PHP Course Highlights In this intermediate-level course, students gain valuable insight into developing secure PHP5 applications. The course shows students the latest in web-based threats and teaches students how to go about defending against them. Students learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and build safer web applications from the start. Students completing this class find their secure coding abilities materially sharpened and are able to integrate these techniques into your organization. – Introduction – SQL injection – Cross-site scripting – Session hijacking – Parameter manipulation – Insecure storage – Forcible browsing Prerequisites – Must understand PHP programming – Cross-site request forgery – Familiarity with web application development – Insecure configuration – Unchecked redirects – Clear-text communication Contact Us Contact Us Accuvant offers on-site education sessions for groups of 12 or more students. We also can work with you to design custom training courses that meet your unique needs. To learn more about Accuvant’s Web Application Security Education program, please contact us at [email protected]. About Accuvant Accuvant is the only research-driven information security partner delivering alignment between IT security and business objectives, clarity to complex security challenges, and confidence in complex security decisions. Based on our clients’ unique requirements, Accuvant assesses, architects and implements the policies, procedures and technologies that most efficiently and effectively protect valuable data assets. Since 2002, more than 4,500 organizations, including half of the Fortune 100 and 800 federal, state and local entities, have trusted Accuvant with their security challenges. Headquartered in Denver, Accuvant has offices across the United States and Canada. For more information, please visit www.accuvant.com, follow us on Twitter: @Accuvant, or keep in touch via Facebook: http://tiny.cc/facebook553. 11 2 5 1 7 t h S t r e e t S u i t e 1 7 0 0 , D e n v e r , C O 8 0 2 0 2 | 800.574.0896 | w w w. a c c u v a n t . c o m