Customizable inhouse trainings
Several times a year I enjoy conducting inhouse training courses on topics like web application security (focussing on Java) as well as performance analysis and application monitoring. Aside from the one-day security awareness workshop, all trainings include lots of instructor-led exercises (over 75 percent of the time) based on demo applications written specifically for the trainings. Each training includes a digital handout (PDF) of the course contents full of information for the attendees.
Just send me a mail in case you wish to receive more detailed course information. Depending on the audience, the courses will be held in English or German language. The contents of the workshops can be customized to suit your individual needs and system environments as well as software development process model.
Java Web Application Security Training
This workshop focuses on securing Java web applications against malicious hacker attacks. During the complete course a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications and continue to more specialized security holes.
Topics covered include:
- Attack scenarios in modern web applications
- Browser protection attempts like same origin policy (SOP) etc.
- The OWASP organization (tools, papers, top 10)
- Finding vulnerabilities in the workshop's demo web application and hardening the application against the attack vectors:
- SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Forceful Browsing, Parameter Tampering, Path Traversal, Session Fixation, Session Hijacking, Command Injection, XML Attacks like XXE, XPath Injection, Information Disclosure, Header Injection, Redirect Manipulation, LDAP Injection, JSON Hijacking, Local File Inclusion, Authentication Bypasses, Clickjacking, . . .
- WebService (SOAP and REST) based attacks
- Security considerations for client-side JavaScript frameworks like jquery
- HTML5 attacks and security considerations for WebSockets, local storage, etc.
- Using automated passive and active scanners
- Professional analysis and exploitation frameworks
- Implementing defense strategies (server & client)
- Output escaping (context-aware), Input validation, HTTP protection headers, Content Security Policy (CSP), Token based protection, Form value masking, URL hashing/signing, URL encryption, . . .
This training includes many hands-on exercises, like finding security holes in the demo application followed by fixing the vulnerabilities and hardening the application. Attendees will learn how to apply primary defenses and secondary hardening measures into the application. The course also includes offensive parts of real-world exploitation of the security holes in order to fully understand the individual impact on a complete software system, like stealthy session stealing, user impersonification, sensitive data exfiltration, remote filesystem access, attacker shells, server takeover, etc. But as the main focus is the mitigation of security problems: At the end of the workshop, even prophylactic protection techniques and best practices (like tokens, url encryption etc.) are applied in the demo application. Each attack is covered in the demo application via multiple coding examples taken from real-world pentesting and development experience. Attendees can use either Eclipse or IntelliJ for the coding exercises, depending on personal preference.
The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them. As attendees assume both roles (attacker's point of view as well as developer's defense point of view) code-review and pentesting skills will be learned in addition to the defence strategies.
I had the chance to hold this training over 25 times during the last two years (and constantly improved it) for national and international companies ranging from small IT startups to big enterprises. In August 2013 I also had the chance to present a special version of it as a public training at the OWASP AppSec EU conference in Hamburg.