OWASP Top 10 – Exploitation and Effective Safeguards
Presented by Albero Solutions
About the course
Most web application developers have heard about SQL Injection and Cross-Site Scripting, but few knows which safeguards are really effective against expert hackers. Exploitation techniques have greatly evolved in the last few years and programmers need to keep their guard up. They are in the tough position of securing systems against experienced hackers. What help do they have?
The OWASP Top 10 web application vulnerabilities list has done a great job promoting awareness on the subject. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.
To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against these vulnerabilities. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.
At the end of the course, participants will have learned:
- What are the OWASP Top 10 vulnerabilities
- How hackers exploit them
- Which safeguards are effective…
- …and which ones are not!
The course will cover the following topics:
- SSL Certificates
- Effective Password Management
- Secure Application Architecture
- Injection Attacks
- Command Injection
- File Injection
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Using Known Vulnerable Components
- Unvalidated Redirects and Forwards
- Securing Web Services (REST and SOAP)
- Secure Coding Best Practices
- List of Effective Safeguards
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of HTML, XML and SQL, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.
Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 10 GB of free disk space, a DVD reader and either VMWare Player (free) or Workstation pre-installed. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.
About the trainer
David Caissy, OSCP, GWAPT, GPEN, GSEC, CISSP, CEH has 15 years of experience as a security consultant and a web application architect. He has performed security audits, vulnerability assessments, web application penetration tests and has designed several secure systems. He has worked for banks, the Department of National Defense, various government agencies and private companies. He has been teaching information security in colleges and in many departments. Mr. Caissy has also contributed to online IT security articles.
Enroll in this training course
Training requires a separate registration from the AppSec USA conference. Registration for both conference and training offerings may be found here.