Application Security Testing Training in New Zealand

Delegates need to have a basic understanding of how web applications work with an added advantage for those who currently develop web applications. This training is a programming language agnostic.

• Understand basic concepts of security, IT security and secure coding
• Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
• Learn about XML security
• Learn client-side vulnerabilities and secure coding practices
• Understand security testing approaches and methodologies
• Get practical knowledge in using security testing techniques and tools
• Learn how to set up and operate the deployment environment securely
• Get sources and further readings on secure coding practices

Day 1

• IT security and secure coding
  • Nature of security
  • What is risk?
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cybercrime
    • Nature of security flaws
    • From an infected computer to targeted attacks
    • The Seven Pernicious Kingdoms
    • OWASP Top Ten 2017
• Web application security
  • Injection
    • Injection principles
    • SQL injection
    • Exercise – SQL injection
    • Typical SQL Injection attack methods
    • Blind and time-based SQL injection
    • SQL injection protection methods
    • Effect of data storage frameworks on SQL injection
    • Detecting SQL Injection
    • Detecting SQL Injection – Typical tests
    • Detecting SQL Injection – Bypass defenses
    • Other injection flaws
    • Command injection
    • Detecting command injection
    • Case study – ImageMagick
  • Broken authentication
    • Session handling threats
    • Session handling best practices
    • Session handling in Java
    • Setting cookie attributes – best practices
  • Sensitive data exposure
    • Sensitive data exposure
    • Transport layer security
    • Enforcing HTTPS
  • XML external entity (XXE)
    • XML Entity introduction
    • XML external entity attack (XXE) – resource inclusion
    • XML external entity attack – URL invocation
    • XML external entity attack – parameter entities
    • Exercise – XXE attack
    • Preventing entity-related attacks
    • Case study – XXE in Google Toolbar
  • Broken access control
    • Typical access control weaknesses
    • Insecure direct object reference (IDOR)
    • Exercise – Insecure direct object reference
    • Protection against IDOR
    • Testing for insecure direct object reference
    • Testing for insecure direct object references
  • Security misconfiguration
    • Security misconfiguration
    • Configuring the environment
    • Insecure file uploads
    • Exercise – Uploading executable files
    • Filtering file uploads – validation and configuration
  • Cross-Site Scripting (XSS)
    • Persistent XSS
    • Reflected XSS
    • DOM-based XSS
    • Exercise – Cross Site Scripting
    • XSS prevention
    • Detecting XSS vulnerabilities
    • Bypassing XSS filters

Day 2

• Web application security
  • Insecure deserialization
    • Serialization and deserialization basics
    • Security challenges of deserialization
    • Deserialization in Java
    • Denial-of-service via Java deserialization
    • From deserialization to code execution
    • POP payload targeting InvokerTransformer (Java)
    • Real-world Java deserialization vulnerabilities
    • Issues with deserialization – JSON
    • Best practices against deserialization vulnerabilities
  • Using components with known vulnerabilities
  • Insufficient logging and monitoring
    • Detection and response
• Client-side security
  • JavaScript security
  • Same Origin Policy
  • Simple requests
  • Preflight requests
  • Clickjacking
    • Clickjacking
    • Exercise – IFrame, Where is My Car?
    • Protection against Clickjacking
    • Anti frame-busting – dismissing protection scripts
    • Protection against busting frame busting
  • AJAX security
    • XSS in AJAX
    • Script injection attack in AJAX
    • Exercise – XSS in AJAX
    • XSS protection in AJAX
    • Exercise CSRF in AJAX – JavaScript hijacking
    • CSRF protection in AJAX
• Security testing
  • Functional testing vs. security testing
  • Security vulnerabilities
  • Prioritization – risk analysis
  • Security assessments in various SDLC phases
  • Security testing methodology
    • Steps of test planning (risk analysis)
    • Scoping and information gathering
    • Stakeholders
    • Assets
    • Exercise – Identifying assets
    • Security objectives for testing
    • Exercise – Defining security objectives
    • Threat modeling
    • Attacker profiles
    • Threat modeling
    • Threat modeling based on attack trees
    • Exercise – Craft an attack tree
    • Threat modeling based on misuse/abuse cases
    • Misuse/abuse cases – a simple example
    • Exercise – Craft a misuse case
    • SDL threat modeling
    • The STRIDE threat categories
    • Diagramming – elements of a DFD
    • Data flow diagram – example
    • Threat enumeration – mapping STRIDE to DFD elements
    • Risk analysis – classification of threats
    • The DREAD risk assessment model
    • Exercise – Risk analysis
    • Testing steps
    • Deriving test cases
    • Accomplishing the tests
    • Processing test results
    • Mitigation concepts
    • Standard mitigation techniques of MS SDL
    • Review phase
• Security testing techniques and tools
  • General testing approaches
  • Design review
    • Assessment of security requirements
    • Identifying security-critical aspects – hotspots

Day 3

• Source code review
  • Code review for software security
  • Taint analysis
  • Heuristic-based
• Input validation
  • Input validation concepts
  • Integer problems
    • Representation of negative integers
    • Integer overflow
    • Exercise IntOverflow
    • What is the value of Math.abs(Integer.MIN_VALUE)?
    • Integer problem – best practices
    • Integer problem – best practices
    • Avoiding arithmetic overflow – addition
    • Avoiding arithmetic overflow – multiplication
    • Detecting arithmetic overflow in Java 8
    • Exercise – Using addExact() in Java
    • Testing for integer problems
• Improper use of security features
  • Typical problems related to the use of security features
  • Password management
    • Exercise – Weakness of hashed passwords
    • Password management and storage
    • Special purpose hash algorithms for password storage
    • Argon2 and PBKDF2 implementations in Java
    • bcrypt and scrypt implementations in Java
    • Case study – the Ashley Madison data breach
    • The loginkey token
    • Revealing the passwords with brute forcing
    • Typical mistakes in password management
    • Exercise – Hard coded passwords
    • Sensitive info in memory - minimize the attack surface
  • Static code analysis
    • Static code analysis
    • Exercise – Using static code analysis tools
• Testing the implementation
  • Manual vs. automated security testing
  • Penetration testing
  • Stress tests
  • Proxy servers and sniffers
    • Testing with proxies and sniffers
    • Packet analyzers and proxies
    • Exercise – Testing with proxy
  • Web vulnerability scanners
    • Exercise – Using a vulnerability scanner
    • SQL injection tools
    • Exercise – Using SQL injection tools
• Deployment environment
  • Assessing the environment
  • Configuration management
    • Configuration management
  • Hardening
    • Hardening
    • Network-level hardening
    • Server hardening – principle of least privilege
    • Hardening the deployment – server administration
    • Hardening the deployment – access control
  • Patch and vulnerability management
    • Patch management
    • Vulnerability repositories
    • Vulnerability attributes
    • Common Vulnerability Scoring System – CVSS
    • Vulnerability management software
    • Exercise – checking for vulnerable packages
• Principles of security and secure coding
  • Matt Bishop’s principles of robust programming
  • The security principles of Saltzer and Schroeder
• Knowledge sources
  • Secure coding sources – a starter kit
  • Vulnerability databases
  • Java secure coding sources
  • Recommended books – Java