Security training

1 day training

The 1-day training is an introduction of the OWASP TOP 10 and how to avoid introducing vulnerabilities in the code and how to think as a hacker. The training will give the attendees the full overview of the most common security issues that can be introduced using the latest technologies.  The training is provided with labs that the trainees will run on their own machines (Docker). Every lab will be using the format “exploit and fix”, to give both the attacker and the defender perspectives. In total there will be 4 to 5 labs (to be chosen together based on the relevance of the topics). This training does not include an exam.

Topics during the training:

  • Hacker mindset
  • Secure by design
  • Injection
  • Broken Authentication
  • Sensitive Information Exposure
  • Broken Access Control
  • Insecure deserialization
  • Insufficient Logging and Monitoring
  • How to avoid vulnerable libraries
  • Mobile Security (only introduction)

3 days training 

The 3-days training is a more in-depth session where the OWASP top 10 is combined with the OWASP ASVS (Application Security Verification Standard) and the OWASP MASVS (Mobile Security Testing Guide). During this training the trainees will be provided with hacker tools, such as Burp, sqlmap, tqlmap (for SSTI), OWASP ZAP, Dirbuster and more.  The trainee will be able to understand how to exploit the vulnerabilities, how to think as an attacker, how to spot common issues and how to fix them using the latest best practices. Every topic will include at least one lab. At the end of the training the trainees will be provided with a vulnerable web application to exploit (exam) and a report to write.

Topics during the training:

Hacker mindset

  • How attackers think 
  • Non-IT example (life hacks)
  • Where to look for interesting stuff

Secure by design (defense in depth)

  • How to create safe code 

Injection

  • XSS (Cross Site Scripting)
  • SQL injection 
  • XXE (XML eXternal Entity) 
  • SSTI (Server Side Template Injection)
  • CSTI (Client Side Template Injection ) – only for 3 and 5 days training

Broken Authentication

  • Weak password policies 
  • Password and secrets storage (Hashing, Encrypting)
  • Default username/password
  • Exposed session ID
  • Information disclosure in errors (wrong username/pass) 

Sensitive Information Exposure

  • Data over HTTP, FTP (no TLS)
  • Use of salt 
  • Encryption
  • Security headers and HSTS
  • Error handling 

Broken Access Control

  • Sessions keys and cookie manipulation – only for 3 and 5 days training
  • JWT attacks
  • CSRF (Cross Site Request Forgery)
  • IDOR vulnerabilities (Insecure Direct Object Reference)
  • Missing access control on HTTP verbs – only for 3 and 5 days training
  • Sensitive open API calls
  • CORS
  • Hidden functionalities exposed

Insecure deserialization

  • JSON deserialization
  • XML deserialization

Insufficient Logging and Monitoring

  • Quick introduction to logging and monitoring the application against possible attacks
  • How to avoid log poisoning – only for 3 and 5 days training

How to avoid vulnerable libraries

  • OWASP dependency checker
  • Retire.js

Mobile Security (only introduction)

  • Introduction about the OWASP MASVS
  • Top 10 vulnerabilities in Android and iOS: how to avoid them.
  • Mobile security extension 

5 days training

 The 5 days training differ from the 3 days training in:

  • Number of vulnerabilities and type of attacks 
  • Tools and techniques used 
  • Technologies introduced during the training
  • In-depth exploitation for each vulnerability


Interested?  E-mail us at SirArthur@conandoyle.eu for the prices