Overview
To better understand how to protect your software applications and infrastructure, you first need to understand how malicious actors can target and attempt to hack into software systems. This course will show you how readily available tools can be used to find and exploit vulnerabilities in your software, what you can do to avoid such exploits and how you can identify when your systems have been compromised.
Objectives
This course will help software engineers understand how hackers break into applications and in doing so help them better understand how to protect their software and identify when things have been compromised.
- Learn techniques used for breaking web applications
- How to use tools and automation to learn more about your software
- Understand proactive vs reactive security
- Identify indicators of potential issues, such as a compromised system
Outline
Setting the Scene
- Understanding the impact of security issues
- The threats haven’t changed but the method for delivery has
- Every team member has an impact
Introduction
- Examples of successful compromises
- The frequency and severity of attacks
- Legislative requirements: CRA, DORA, Biden Cyber Security
- Compliance requirements: ASVS, MASVS, OVS
How Attackers Identify Targets & Perform Reconnaissance
- Use of tools to understand what is exploitable
- Identifying areas of weakness
- Identifying target information from OSINT sources
- How to proxy HTTP traffic and understand weaknesses using Burp Suite
- Open Source intelligence
Practical Security Issues
- How to break stuff via the tools
- Metasploit exploitation of vulnerabilities
- Common flaws in authentication and session management
- Choosing between allowlists and blocklists for validating input
- Identifying and fixing misconfigurations
- Guarding against sensitive data exposure
- Introducing function level access control
- Preventing cross-site request forgery
- Avoiding components with known vulnerabilities
- Preventing unvalidated requests and forwards
Capture The Flag
- Guided leaderboard session exploring & practising penetration & security testing techniques
- Using of relevant Capture the Flag software depending on audience
- OWASP Juice Shop for developers and testers involved with Front End development
Requirements
Attendees should have at least 6 months' experience building applications. Ideally, they should also have attended our threat modelling training.
About The Trainer
Simon Whittaker has been providing security services & training to both local organisations and some of the world’s largest companies for over 10 years.
Simon’s background in both development & System/Network Administration provides a great view on how best to compromise and secure required services & applications while also ensuring that training courses, content & practicals can be aimed at the right audiences.
Most of Simon’s work involves working with companies to test and improve secure coding practices, penetration & security testing and providing security consultancy to companies that are keen to improve their processes & procedures.
Simon also has great experience in developing & implementing efficient and effective practices across departments to assist with securing and retaining external quality recognition such as ISO27001.
