Cryptography for the Modern Developer
Presented by Blindspot Security LLC
About the course
Year after year, cryptography is incorporated in to more and more systems. Whether it be encrypting data in transit with off-the-shelf protocols, or implementing custom encryption mechanisms for data at rest, software developers are increasingly expected to leverage cryptography to meet security demands.
However, few developers have the experience or training to implement cryptography safely. The significant learning curve associated with using any cryptographic primitive properly, combined with the error prone APIs that most development environments expose to developers has led to countless flaws in modern applications.
This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. Attendees will further learn that with a proper implementation, cryptography can make their development tasks easier, in addition to being more secure. No significant background in cryptography is required to take this course one-day course. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.
- Symmetric Encryption
- Pseudorandom Number Generators
- Hashing and Integrity Protection
- Asymmetric Encryption
Crypto Basics Quiz
Overview of Modern Attacks
- Integrity Problems
- Padding Oracle Attacks
- Modern Password Cracking
- Certificates and MitM Attacks
Exercise: Fix their Code
Recent Crypto Innovations
- Authenticated Encryption
- Memory-hard Password Hashing
- Certificate Pinning
- API Overviews
Exercise: Implement a Safe Token
Testing Your Implementations
- Ciphertext Fuzzing Techniques
- Certificate Validation Testing
The target audience is any developers who wish to learn more about securely implementing cryptographic systems in the real world. No significant background in cryptography is required to take this course one-day course.
Objectives and outcomes
Attendees will learn how to avoid common pitfalls in implementing simple cryptographic systems, including encrypted cookies and URL tokens, and similar constructs that are commonly used in areas such as CSRF tokens, forgotten password interfaces, and email tracking systems. In addition, attendees will learn that with a proper implementation, cryptography can make their development tasks easier, in addition to being more secure.
About the trainer
Over the past 9 years, Tim Morgan has developed training materials for several two and three day courses in the areas of application security, cryptography, digital forensics, and incident response. He has delivered these courses numerous times for clients, which include several fortune 500 firms. Tim has also successfully delivered training courses for the last two AppSec USA conferences.
Tim regularly presents talks on various deep technical topics at both OWASP meetings as well as other local meetups and conferences. One of his more recent talks was “What You Didn’t Know About XML External Entities Attacks” which was presented at AppSecUSA 2013.
Enroll in this training course
Training requires a separate registration from the AppSec USA conference. Registration for both conference and training offerings may be found here.