Training: Hands-on Developer Workshop
Web application security is still a topic of great importance for the IT security of data and companies. One small programming error and hackers from the Internet can take over the web server, access the database, or access internal services via the application. Nowadays, large projects and organizations such as the Open Web Application Security Project (OWASP, https://owasp.org/) provide large amounts of freely accessible material and information on security issues in web development. Nevertheless, our penetration tests on web applications show that vulnerabilities from 10 years ago, such as cross-site scripting or SQL injections, are still a problem. Consequently, in this hands-on web security workshop, NSIDE does not follow the ’how do I develop secure software’ approach, but lets participants learn and work out for themselves what the consequences of vulnerabilities can be and what is important for exploiting these vulnerabilities. Taking the perspective of a hacker allows even security-experienced web developers to learn new aspects of vulnerabilities and, through a complete understanding of these vulnerabilities, how to avoid them in the future, even in complex situations.
What do participants learn in the workshop?
The workshop describes well-known and lesser-known vulnerabilities found on the web from the OWASP Top 10 and others, and their threats are worked out practically. Unlike many other web security workshops, this one focuses on exploiting the vulnerabilities to really understand them – with all that goes along with it: participants learn to identify and exploit programming, configuration and architectural flaws by means of a provided vulnerable application. The vulnerability exploitation aspect effectively illustrates the problems that certain programming errors can cause, and what to look for in order to make an application secure. The identified errors are then discussed, solutions worked out and the errors fixed. The workshop contains at least one hands-on task for almost every OWASP Top 10 vulnerability class, where participants have to solve several tasks while the trainer assists.
Was is the content?
Topics covered include the following:
- Necessary theory on core concepts on the Web (statelessness, same-origin policy etc.).
- Explanation of vulnerabilities of the OWASP Top 10
- Hands-on: Identification of vulnerabilities of the OWASP Top 10
- Hands-on: Exploitation of all identified vulnerabilities to experience effects and threats of the vulnerabilities for yourself
- Hands-on: Escalation of vulnerabilities: What is actually possible with some vulnerabilities?
- Hands-on: Subsequent fixing of the vulnerabilities and verification of the fix
- Contents of Secure Development Lifecycle (SDL)
What is the target audience (prior knowledge etc.)?
This workshop is aimed primarily at web developers and system architects for whom the secure development of software is important. Programming knowledge is required, and Java and Java Spring knowledge is recommended but optional.
How long does the workshop take?
Duration: 3 days