This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP NZ Day 2020-Training-Building Secure APIs and Web Applications

From OWASP
Jump to: navigation, search


Building Secure APIs and Web Applications

Two-Day Interactive Training -- OWASP New Zealand Day 2020

Abstract

The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and webservices will benefit.

Course Details

Dates: Wednesday and Thursday, 19-20 February 2020

Time: 8:45 a.m. to 5:30 pm.

Course Fee: NZ $1,250.00 (plus EventBrite fees)

Registration Site: https://owaspnz2020-training.eventbrite.com

Prerequisite Skills:

  • Students should have a basic understanding of Linux environment and know their way around the terminal
  • A basic understanding of ‘OWASP TOP-10 Vulnerabilities’ and ‘Basics of Docker’ will be helpful, but not necessary

Attendees Should Bring:

  • Familiarity with the technical details of building web applications and web services from a software engineering point of view
  • Any laptop that can run an updated web browser and Burp Community Edition

Instructors: Jim Manico and Georgia Weidman

Jim's Organisation: Manicode

Georgia's Organisation: Shevira, Inc.

Course Outline

Day 1 - Wednesday

  • Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • SQL and other Injection
  • Cross-Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017
  • OWASP ASVS

Day 2 - Thursday

  • Webservice, Microservice and REST Security
  • Authentication and Session Management
  • Access Control Design
  • OAuth 2 Security
  • OpenID Connect Security
  • HTTPS/TLS Best Practices
  • 3rd Party Library Security Management
  • Application Layer Intrusion Detection

The course will include several hacking and secure coding labs!

Your Instructors

Jim Manico - Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls. For more information, see http://www.linkedin.com/in/jmanico.

Georgia Weidman - Georgia is the founder of Bulb Security where she works as a penetration tester, security researcher, speaker, trainer, and author. She was awarded a DARPA Cyber Fast Track grant for her work in mobile device security and is a member of the CyberWatch Center's National Visiting Committee. She is also a member of the board of advisors at Cybrary, is an Adjunct Professor at UMUC and Tulane University, and is a New America Cybersecurity Policy Fellow. She is also the author of the book Penetration Testing: A Hands-On Introduction to Hacking. She founded Shevirah whose products assess and manage the risk of mobile devices in the enterprise and is a graduate of the Mach37 cybersecurity accelerator. She was the 2015 Women’s Society of CyberJutsu Pentest Ninja. She holds a MS in Computer Science and CISSP, CEH, and OSCP certifications.