Watch Live!

AppSec USA Training

Cryptography for the Modern Developer

September 16th
US $800

Presented by Blindspot Security LLC

About the course

Year after year, cryptography is incorporated in to more and more systems. Whether it be encrypting data in transit with off-the-shelf protocols, or implementing custom encryption mechanisms for data at rest, software developers are increasingly expected to leverage cryptography to meet security demands.

However, few developers have the experience or training to implement cryptography safely. The significant learning curve associated with using any cryptographic primitive properly, combined with the error prone APIs that most development environments expose to developers has led to countless flaws in modern applications.

This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. Attendees will further learn that with a proper implementation, cryptography can make their development tasks easier, in addition to being more secure. No significant background in cryptography is required to take this course one-day course. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.

Course outline

  1. Cryptography Primer
    • Symmetric Encryption
    • Pseudorandom Number Generators
    • Hashing and Integrity Protection
    • Asymmetric Encryption
  2. Crypto Basics Quiz
  3. Overview of Modern Attacks
    • Integrity Problems
    • Padding Oracle Attacks
    • Modern Password Cracking
    • Certificates and MitM Attacks
  4. Exercise: Fix their Code
  5. LUNCH
  6. Recent Crypto Innovations
    • Authenticated Encryption
    • Memory-hard Password Hashing
    • Certificate Pinning
    • API Overviews
  7. Exercise: Implement a Safe Token
  8. Testing Your Implementations
    • Ciphertext Fuzzing Techniques
    • Certificate Validation Testing

Target audience

The target audience is any developers who wish to learn more about securely implementing cryptographic systems in the real world. No significant background in cryptography is required to take this course one-day course.

Objectives and outcomes

Attendees will learn how to avoid common pitfalls in implementing simple cryptographic systems, including encrypted cookies and URL tokens, and similar constructs that are commonly used in areas such as CSRF tokens, forgotten password interfaces, and email tracking systems. In addition, attendees will learn that with a proper implementation, cryptography can make their development tasks easier, in addition to being more secure.

About the trainer

Over the past 9 years, Tim Morgan has developed training materials for several two and three day courses in the areas of application security, cryptography, digital forensics, and incident response. He has delivered these courses numerous times for clients, which include several fortune 500 firms. Tim has also successfully delivered training courses for the last two AppSec USA conferences.

Tim regularly presents talks on various deep technical topics at both OWASP meetings as well as other local meetups and conferences. One of his more recent talks was “What You Didn’t Know About XML External Entities Attacks” which was presented at AppSecUSA 2013.

Enroll in this training course

Training requires a separate registration from the AppSec USA conference. Registration for both conference and training offerings may be found here.

AppSec USA

AppSec USA is a world-class software security conference for developers, auditors, risk managers, technologists, and entrepreneurs gathering with the world’s top practitioners to share the latest research and practices, in the high energy atmosphere of Downtown Denver.