Customizable inhouse trainings

Me

Several times a year I enjoy conducting inhouse training courses on topics like web application security (focussing on Java) as well as performance analysis and application monitoring. Aside from the one-day security awareness workshop, all trainings include lots of instructor-led exercises (over 75 percent of the time) based on demo applications written specifically for the trainings. Each training includes a digital handout (PDF) of the course contents full of information for the attendees.

Just send me a mail in case you wish to receive more detailed course information. Depending on the audience, the courses will be held in English or German language. The contents of the workshops can be customized to suit your individual needs and system environments as well as software development process model.

Web Application Security Awareness Workshop

Duration: 1 day

This workshop focuses more on the offensive part of web application security by simply demonstrating live hacking against a unique demo application written specifically for this workshop. Attack scenarios in modern web applications are covered and fully exploited during the workshop. Server- and client-side defense strategies are presented and discussed.

Topics covered include:

  • Attack scenarios in modern web applications
  • Browser protection attempts like same origin policy (SOP) etc.
  • The OWASP organization (tools, papers, top 10)
  • Live hacking and full exploitation against the workshop's demo web application using common attack vectors:
    • SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Forceful Browsing, Parameter Tampering, Path Traversal, Session Fixation, Session Hijacking, Command Injection, XML Attacks like XXE, XPath Injection, Information Disclosure, Header Injection, Redirect Manipulation, LDAP Injection, JSON Hijacking, Local File Inclusion, Authentication Bypasses, Clickjacking, . . .
  • WebService (SOAP and REST) based attacks
  • Security considerations for client-side JavaScript frameworks like jquery
  • HTML5 attacks and security considerations for WebSockets, local storage, etc.
  • Automated passive and active scanners
  • Professional analysis and exploitation frameworks
  • Defence strategies (server & client)

Due to the limited time (1 day) in this training, it does not include hands-on exercises. All live hacks are presented against the custom written demo application. The course also covers offensive parts of real-world exploitation of the security holes in order to fully understand the individual impact on a complete software system, like stealthy session stealing, user impersonification, sensitive data exfiltration, remote filesystem access, attacker shells, server takeover, etc.

The main intention behind this course is to raise awareness for the (web) security problems and to start discussing about impacts and defense strategies. Expect this to be an eye-opener for security problems in web applications for developers as well as project managers.

Target audience:  Software Architects, Software Developers, Technical Project Managers

Overview

Interested in this inhouse training?  Just send me a mail and ask for further course information.