Azerbaycan Yazılımcılar için Uygulama Güvenliği Eğitimi

  • Eğitim Tipi: Classroom
  • Süre: 2 Gün
  • Seviye: Intermediate
Bu eğitimi kendi kurumunuzda planlayabilirsiniz. Bize Ulaşın!

2-Day hands-on AppSec training covering the most common application security vulnerabilities and how to build secure applications that avoid these issues. Finding security vulnerabilities at the end of the SDLC is often too late to influence fundamental changes in the way the code is written, and many security issues could be avoided from the outset.

This class has been written by developers turned pen testers who can help developers to code in a secure manner and introduce security into the development cycle. Throughout this class, developers will be able to get on the same page with security professionals, understand how exploitable vulnerabilities are created in code, learn how to fix or mitigate vulnerabilities and get acquainted with the root causes behind some real-world breaches. Various bug bounty case studies from popular websites like Facebook, Google, Shopify, Paypal, Twitter etc will be discussed explaining the financial repercussions of application security vulnerabilities like SSRF, XXE, SQL Injection, Authentication issues etc.

The techniques discussed in this class are generic and developers from any language background can easily grasp and implement the knowledge learned within their own environments. In the class, .NET, Java and NodeJS are used in the workshop examples as this range provide lessons that can be used in a wide range of applications.

Students will also participate in a ‘capture the flag’ exercise where they’ll be challenged to identify vulnerabilities in code snippets derived from real-world applications.

  • Learn to code more securely and build more secure applications.
  • Identify and fix security vulnerabilities much earlier in the SDLC process saving time and effort.
  • Understand OWASP Top 10 common application vulnerabilities with practical demonstrations and deeper insight.
  • Understand the financial and wider repercussions of different vulnerabilities.
  • Get on the same page with the security team while discussing vulnerabilities.

Application Security Basics

  • Why do we need Application Security?
  • Understanding OWASP TOP 10

Understanding the HTTP Protocol

  • Understanding HTTP/HTTPS protocol
    • Lab: Configure Burpsuite to intercept HTTP/HTTPS traffic
  • Understanding Requests and Responses
    • Lab: Manipulating HTTP headers
    • Demo: Host Header Injection
    • Mitigation Techniques
  • Attack Surface detection

Security Misconfigurations

  • Common misconfigurations in Web Applications
  • Sensitive Information exposure and how to avoid it
  • Using Softwares with known vulnerabilities
    • Demo : Struts2 RCE

Insufficient Logging and Monitoring

  • Types of Logging
  • Introduction to F-ELK

Authentication Flaws

  • Password Complexity
    • Lab: Bruteforce using Burpsuite Intruder
  • Anti-Automation Techniques
    • Mitigating brute-force attacks
  • Password Storage
    • Crash Course on Cryptography
    • Introduction to HashiCorp Vault
  • Password Recovery – Best Practices
  • NoSQL Security
    • Lab: Bypass NoSQL Authentication
    • Mitigating NoSQL Injections
  • Understanding WebAuthn – Passwordless Authentication Framework

Authorization Bypass Techniques

  • Parameter Manipulation
    • Common Pitfalls and Mitigations
  • API Authentication – JWT
    • Introduction to JWT
    • Lab : Cracking JWT tokens
    • Common JWT Attacks
    • Mitigating JWT Attacks
  • SSO Authentication – OAuth
    • Introduction to OAuth
    • OAuth Flow
    • Lab: Bypass OAuth
    • Common OAuth Attacks
    • Mitigating OAuth Attacks
  • RBAC Bypasses and mitigations
  • Mass Assignment Vulnerability
    • Understanding Mass Assigning/Auto binding
    • Lab: Exploiting Mass Assignment
    • Mitigating Mass Assignment vulnerability
  • Insecure Direct Object References (IDOR)
    • Mitigating IDORs
  • Local file Inclusion (LFI)
    • Lab: Download internal files
    • Mitigating LFI

Cross-Site Scripting (XSS)

  • Understanding XSS
  • Reflected XSS
    • Lab: Exploiting Reflected XSS
    • Demo: Session Hijacking
  • Stored XSS
    • Lab: Exploiting Stored XSS
  • How not to Mitigate XSS
    • Lab: Pitfalls in XSS Defenses
  • Mitigating XSS

Cross-Site Request Forgery Scripting

  • Understanding CSRF
    • Lab: Exploiting CSRF
  • Mitigating CSRF

Server-Side Request Forgery (SSRF)

  • Understanding SSRF
    • Lab: Exploiting SSRF
    • SSRF in Cloud
  • Mitigating SSRF

SQL Injection

  • Understanding SQL Injection
    • Lab: Error-Based SQL Injection
    • Lab: Blind SQL Injection
  • Mitigating SQL Injection
  • ORM Frameworks

XML External Entity (XXE) Attacks

  • Understanding XML Entities
  • Understanding XXE Vulnerability
    • Lab: Exploiting XXE Vulnerability
  • Mitigating XXE

Unrestricted File Uploads

  • File Upload functionality
    • Lab: Uploading webshells
  • Mitigating File upload vulnerability

Deserialization Vulnerabilities

  • What is Serialization?
  • PHP Object Serialization
    • Demo: PHP Object Deserialization
    • Lab: Exploit PHP Deserialization
  • Java Object Serialization
    • Demo: Java Binary Deserialization
    • Other Java Deserialization
  • Detecting deserialization functions
  • Mitigation for deserialization vulnerabilities

Client-Side Security Concerns

  • Understanding Same Origin Policy
  • Understanding CORS (Cross-Origin Resource Sharing)
    • Demo: CORS
    • Excessive CORS
  • Transport Layer Protection: HSTS
  • Securing Cookies
  • Iframe Security
    • Demo: Clickjacking
  • Content-Security Policy
  • Referrer Policy

Source Code Review

  • Manual Code Review
    • SQL Injection
    • Identify vulnerable libraries
    • Identify Authorization Flaws
    • Log Injections
    • File Handling
    • Insecure Cryptography
  • Automated Code Review
    • Demo: FindSecBugs/CAT.NET
  • Secure Code Review CTF

DevSecOps

  • DevSecOps - What Why and How?
  • DevSecOps Sample Implementation


Eğitimlerle ilgili bilgi almak ve diğer tüm sorularınız için bize ulaşın!

Yakın tarihte açılacak eğitimler

Sınıf eğitimlerimizi Azerbaycan ofislerimizde düzenlemekteyiz. Kurumunuza özel eğitimleri ise, dilediğiniz tarih ve lokasyonda organize edebiliriz.

Classroom / Virtual Classroom
07 noyabr 2024
Baku
2 Gün
Classroom / Virtual Classroom
08 noyabr 2024
İstanbul
2 Gün
Classroom / Virtual Classroom
09 noyabr 2024
İzmir
2 Gün
Classroom / Virtual Classroom
07 noyabr 2024
Bodrum
2 Gün
Classroom / Virtual Classroom
08 noyabr 2024
Antalya
2 Gün
Classroom / Virtual Classroom
09 noyabr 2024
Kapadokya
2 Gün
Classroom / Virtual Classroom
22 noyabr 2024
Bursa
2 Gün
Classroom / Virtual Classroom
22 noyabr 2024
Ankara
2 Gün

İlgili Eğitimler

Yazılımcılar için Uygulama Güvenliği Eğitimi Azerbaycan

Kardeş ülke Azerbaycan (resmi adıyla Azerbaycan Cumhuriyeti) Kafkasya’da, Güney Kafkas Dağları bölgesinde bulunmaktadır. Çok zengin bir kültüren mirasa sahip olan Azerbaycan’ın, Hazar Denizi, Rusya, Gürcistan, Ermenistan ve İran gibi sınır komşuları vardır. Kafkasya’nın en büyük yüzölçümlü ülkesi olan Azerbaycan’da harika bir doğa çeşitliliği mevcut olup, hayvan yaşamının zenginliği de dikkat çekicidir. Üniter bir devlet olan Azerbaycan’ın Cumhurbaşkanı İlham Aliyev, resmi dili Azerice’dir.

Farsça Azar (Ateş) ve Payegan (Muhafız) kelimelerinin birlikteliğinden adını alan Azerbaycan Ateşler Ülkesi olarak da bilinmektedir. Bakü’de bulunan Flame Towers ülkenin en turistik yerlerinden biridir. Ülkede çok sayıda yanardağ ve petrol yatağı bulunmaktadır. Azerbaycan’ın mutlaka görülmesi gereken yerleri arasında Bakü’deki Alev Kuleleri, Kız Kalesi, Ateşgah, Targovi Caddesi ve Bakü Bulvarı’nın yanı sıra farklı şehirlerdeki Şeki Hanları Sarayı, Kobustan Milli Parkı, Han Bağı, Kebele ve Göygöl Milli Parkı sayılabilir.
Sitemizi kullanarak çerezlere (cookie) izin vermektesiniz. Detaylı bilgi için Çerez Politika'mızı inceleyebilirsiniz.