Training

Best Practices for Secure Web Applications

This seminar provides an extensive introduction to web application security and presents a coherent and comprehensive concept for achieving long-term security with web applications, websites and web servers. Both solutions for programming as well as software- and system architecture patterns will be provided, which can be easily adapted to your company’s environment. At the end, the participants will be able to create (more) secure (web-)applications, analyse existing applications for basic security vulnerabilities and derive corresponding measures.

The seminar is largely based on the pioneering works of the OWASP (Open Web Application Security Project). Having said that, the seminar goes far beyond the basic security of the famous OWASP Top 10. Special attention is given to provide real-world examples and practical exercises.

If the duration of the training is more than 2 days, our renowned training environment can be used. The vulnerabilities will be analyzed and reconstructed by the participants by solving specific tasks, which are then discussed in the group. Special focus lies on the participants using their own computers and therefore their own preferred working environment.

The content of all our training courses can adapted to your specific needs.

 

Content

  • Basics
    • HTTP-Basics
    • Authentifizierung/Authorisierung, Access Control
    • Sessions, Cookies, Dom Storage, JWT
    • SOP, CORS
    • Security-Header (CSP, HSTS, etc.)
    • Kryptographie (Grundlagen, SSL/TLS, Zertifikate etc.)
    • SOAP, JSON
  • Angriffe
    • XSS (reflected, stored, dom-based)
    • Injection (SQL, LDAP, XML, Code, …)
    • Object Deserialization
    • CSRF, Clickjacking
    • JSONP Hijacking, CORS Misconfiguration
    • XML External Entity Includes
    • Logische/Semantische Angriffe, Phishing
  • Abwehr
    • Netzwerkseparierung, Firewalls, WAFs
    • Eingabevalidierung, Ausgabekodierung
    • Anti-Automatisierung
    • Best-Practices der Programmierung

Zielgruppe

  • Softwareentwickler
  • Architekten
  • Projektleiter

Dauer

2 bis 3 Tage oder individuell zugeschnitten

Voraussetzungen

keine

Trainer

Dr. Bastian Braun Sicherheitsberater in vielen Softwareprojekten
Mirko Richter 15 Jahre Softwareentwicklungserfahrung
Dr. Benjamin Kellermann
Maximiliane Zirm