AppSec for Developers

This is our Specialist course for Appsec Developers and is part of the AppSecOps course.

In this 2-Day Intermediate hands-on course delegates will gain an understanding of application security vulnerabilities including the industry standard OWASP Top 10 list and learn strategies to defend against them.

Pen testing (security testing) as an activity tends to capture security vulnerabilities at the end of the SDLC and then it is often too late to influence fundamental changes in the way the code is written.

Web application security tends to be addressed only when vulnerabilities are found on applications running in production. Addressing these vulnerabilities at that stage becomes an expensive affair. These vulnerabilities arise primarily because developers are not sensitized against their impact and more importantly their fixing/patching.

The aim of this class is two-fold:

  • Sensitize developers about application security vulnerabilities and their impact through live exploitation of a vulnerable application.
  • Guide the developers to identify the root cause of the vulnerability in code, patch it, re-deploy the application, and finally verify the fix. All of this completely from the browser.

Throughout this class, developers will be able to get on the same page with security professionals, understand their language, learn how to fix or mitigate vulnerabilities learnt during the class and get acquainted with some real-world breaches, for example, “The Equifax” breach in September 2017. Various bug bounty case studies from popular websites like Facebook, Google, Shopify, Paypal, Twitter etc will be discussed explaining the financial repercussions of application security vulnerabilities like SSRF, XXE, SQL Injection, Authentication issues etc.

The application that the audience will interact with is a Shopping cart application built on a microservices architecture and deployed using docker. Microservices are built using different languages like Java, .NET Core, PHP, Python, NodeJS, HTML and JavaScript each containing different vulnerabilities that needs patching.However, the approach is kept generic and developers from other language backgrounds can easily grasp and implement the knowledge learned within their own environments.

Each Delegate will be provided a separate lab infrastructure that is accessible completely from the browser.Delegates will participate in a CTF challenge where they will have the chance to identify vulnerabilities in code snippets derived from real-world applications.

2021 Edition

Fast track available

2 day course

Available by Partners

Live, online available

Hack-Lab is available

Intermediate

For security and IT decision makers

What’s the real impact of training your team through NotSoSecure?

Make your organisation a less attractive target to attackers by building a team that can write code resistant to complex, modern attacks, without losing business functionality and development speed. Trained delegates can:

  • Write secure application code resilient to a variety of web-based attacks in the OWASP top 10.
  • Understand how attackers identify vulnerabilities in code, and the impact of this, so they can adopt more secure ways of working.
  • Identify and mitigate security vulnerabilities earlier on in the development lifecycle.
  • Use a vocabulary of risk and exploitation to work more effectively with security practitioners.
  • Understand the business impact of application security and articulate this to key stakeholders.
  • Take on greater responsibility in the team and become an advocate of security in the wider business.

Course Overview

As it is critical to introduce security as a quality component into the development cycle, this course has been written by developers turned Pen Testers who can help you to code in a secure manner.

Pen testing as an activity tends to capture security vulnerabilities at the end of the SDLC and it is then often too late to influence fundamental changes in the way the code is written.

The class is a highly practical and we cover a variety of best security practices and in-depth defense approaches which you should be aware of while developing applications. The class also covers quick techniques which you can use to identify various security issues throughout the code review proces.

Course Details

You will be able to:

  • Understand OWASP Top 10 with practical demonstrations and deeper insight.
  • Delve into various bug bounty case studies from popular websites like Facebook, Google, Shopify, Paypal, Twitter.
  • Participate in a CTF challenge where you will have the chance to identify vulnerabilities in code snippets derived from real-world applications.
  • Gain an insight into the latest security vulnerabilities, such as host header injection, XML external entity injection, attacks on JWT tokens, deserialization vulnerabilities.
  • Design best security practices following an introduction to various security frameworks and tools and techniques for secure application development.
  • Get on the same page with the security team while discussing vulnerabilities.
  • Understand the financial repercussions of different vulnerabilities.

You will receive:

Apart from the various tools and content around the course Delegates will also be provided with a 7-day lab access where they can practice all the exercises/demos shown during the course.

What you can take away from the course:

  • Understand OWASP Top 10 with practical demonstrations and deeper insight.
  • Understand the financial repercussions of different vulnerabilities.
  • Get on the same page with the security team while discussing vulnerabilities.
  • Identify and Fix security vulnerabilities much earlier in the SDLC process saving time and effort.

Details of the course content:

APPLICATION SECURITY BASICS

  • Why do we need Application Security?
  • Understanding OWASP TOP 10

UNDERSTANDING THE HTTP PROTOCOL

  • Understanding HTTP/HTTPS protocol
  • Understanding Requests and Responses – Attack Surface
  • Configure Burpsuite to intercept HTTP/HTTPS traffic

SECURITY MISCONFIGURATIONS

  • Common misconfigurations in Web Applications
  • Sensitive Information exposure and how to avoid it
  • Using Softwares with known vulnerabilities

INSUFFICIENT LOGGING AND MONITORING

  • Types of Logging
  • Introduction to F-ELK

AUTHENTICATION FLAWS

  • Understanding Anti-Automation Techniques
  • NoSQL Security

AUTHORIZATION BYPASS TECHNIQUES

  • Securing JWT and OAuth
  • Local file Inclusion
  • Mass Assignment Vulnerability

CROSS-SITE SCRIPTING (XSS)

  • Types of XSS
  • Mitigating XSS

CROSS-SITE REQUEST FORGERY SCRIPTING

  • Understanding CSRF
  • Mitigating CSRF

SERVER-SIDE REQUEST FORGERY (SSRF)

  • Understanding SSRF
  • Mitigating SSRF

SQL INJECTION

  • Error and Blind SQL Injections
  • Mitigating SQL Injection
  • ORM Framework: HQL Injection

XAML EXTERNAL ENTITY (XXE) ATTACKS

  • Default XML Processors == XXE
  • Mitigating XXE

UNRESTRICTED FILE UPLOADS

  • Common Pitfalls around file upload
  • Mitigating File upload vulnerability

DESERIALIZATION VULNERABILITIES

  • What is Serialization?
  • Identifying Deserialization functions and deserialized data
  • Mitigation strategies for deserialization

CLIENT-SIDE SECURITY CONCERNS

  • Understanding Same Origin Policy
  • Windows Desktop ‘Breakout’ and AppLocker Bypass Techniques (Win 10)
  • Client-Side Security headers and their server configurations

SOURCE CODE REVIEW

  • What to check for Security in source code
  • CTF: A timed game to spot the flaws in the given Source Code samples

DEVSECOPS

  • DevSecOps – What Why and How?
  • Case Study

Prerequisites

Who Should Take This Class?

This course is ideal for Web/API developers who work day-in-day out building full-stack web applications or web APIs. Anyone who is looking to develop a skill-set into web application security and is looking to identify web application flaws will also benefit from this course.

Delegate Requirements

Delegates need to have a basic understanding of how web applications work with an added advantage for those who currently develop web applications. This training is a programming language agnostic.

What you will need:

A Laptop with minimum 4 GB RAM and 1 GB of extra space is also required.

It is recommended that you complete one of the following courses before taking this course:

The Art of Hacking

How to book

This course is available directly from Claranet Cyber Security, please use the form alongside.

The course is also available from our partners listed below

QA training

If booked through Check Point, Cyber-Security Leraning Credits are accepted for this course.

Checkpoint training

Courses and webinars

AppSec for Developers

Course Information

You can download a copy of the course information below.

In addition you will also be provided with a student pack, handouts and cheat-sheets if appropriate.

Download the course information

Your Training Roadmap

Offensive Classes

Hacking training for all levels: new to advanced. Ideal for those preparing for certifications such as CREST CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST as well as infrastructure / web application penetration testers wishing to add to their existing skill set.

Defensive Classes

Giving you the skills needed to get ahead and secure your business by design. We specialise in application security (both secure coding and building security testing into your software development lifecycle) and cloud security. Build security capability into your teams enabling you to move fast and stay secure.

Testimonials

These trainings from NotSoSecure are world class (Black Hat Level) and truly worth it."

Delegate, Black Hat AppSecOps Course

The trainer was very knowledgeable and paced the training about right - strong practical focus complemented the 'theory'. All in all very pleased with the training - and much better experience and value than any previous courses I have attended where the trainer was a generalist delivering to a 'script'."

Delegate, Private QA AppSec class

Good course, knowledgeable trainer. Excellent Demos!"

Delegate, Private QA AppSec class

The tools presented are excellent. It was good that there had obviously been a lot of work done on finding good tools for each piece of the course."

Delegate, AppSecOps Course

The content was really interesting and I like the real-world examples of what was being explained."

Delegate, AppSecOps Course

Thank you @notsosecure and @nullcon for the extensive training on DevSecops. Really engaging and a great learning session. Worth mentioning the material and the hands on-lab. Kudos to the team and their hard work for a smooth experience."

Delegate, Nullcon 2021