Claranet cyber security

AppSec for developers

2 day practical class

AppSec for Developers is one of our Specialist Defence classes, covering the latest industry standards including OWASP Top 10. The class covers a variety of best security practices and in-depth approaches around writing and auditing secure code against security flaws.

The course is available directly from Claranet Cyber Security or you can book through one of our partners. The course is now available as live, online training and can be delivered for you individually or for your company. Contact us below with your requirements.

Get certified:

Complete the course wherever it suits you and afterwards you can take an optional exam for Check Point Appsec for Developers (CCPE).

  • Overview
  • Details
  • Pre-requisites & Audience
  • Brochure Download

Penetration testing (security testing) as an activity tends to capture security vulnerabilities at the end of the SDLC and is often too late to be able to influence fundamental changes in the way code is written.

We wrote this class because of the increasing need for developers to code in a secure manner. It is critical to introduce security as a quality component into the development cycle. This class aims at educating developers about various security vulnerabilities through hands-on practice using our purposely developed insecure web application which is built on Microsoft .NET platform. Throughout this class, developers will be able to get on the same page with security professionals, understand their language, learn how to fix or mitigate vulnerabilities learnt during the class and also get introduced to some real-world breaches, for example, The Equifax breach in September 2017 and application vulnerabilities from popular websites like Facebook, Google, Instagram, Paypal etc.

The techniques discussed in this class are mainly focused on .NET and JAVA technologies owing to their huge adoption in various enterprises in building web applications. However, the approach is generic and developers from other language backgrounds can easily grasp and implement the knowledge learnt within their own environments.

  • Covers latest industry standards such as OWASP Top 10 with practical demonstrations of vulnerabilities complemented with Hands-on Lab practice
  • Insight into the latest security vulnerabilities (such as Host Header Injection, XML Entity Injection,Web-Services and API Security, Deserialization Vulnerabilities)
  • Thorough guidance on the best security practices (Introduction to various Security Frameworks and tools and techniques for Secure Development)
  • References to real-world analogies for each vulnerability (Understand and appreciate why Facebook would pay $33,000 for XML Entity Injection Vulnerability?)
  • Online lab available for practicing during and after the course (2 Days)
  • Internet distribution of all course materials

A highly practical class that targets web developers, pen testers, and anyone else wanting to write secure code, or audit code against security flaws. The class covers a variety of the best security practices and in-depth defense approaches which developers should be aware of while developing applications. The class also covers some quick techniques which developers can use to identify various security issues throughout the code review process.

Students can access our online lab which is purposely riddled with multiple vulnerabilities. Students will receive demonstrations and hands-on practice of the vulnerabilities to better understand and grasp the issues, followed by various techniques and recommendations on how to go about fixing them. While the class covers industry standards such as OWASP Top 10 and SANS top 25 security issues, it also covers real world issues like various Business Logic and Authorization flaws.

Day 1

  • Module 1.

    Application Security Basics

  • Module 2.

    Understanding HTTP protocol

  • Module 3.

    Security Misconfigurations

  • Module 4.

    Insufficient Logging and Monitoring

  • Module 5.

    Authentication Flaws

  • Module 6.

    Authorization Bypass

  • Module 7.

    Cross Site Scripting (XSS)

Day 2

  • Module 8.

    Cross Site Request Forgery (CSRF)

  • Module 9.

    SQL Injection

  • Module 10.

    XML External Entity (XXE) Attacks

  • Module 11.

    Insecure File Uploads

  • Module 12.

    Deserialization Vulnerabilities

  • Module 13.

    Client Side Security

  • Module 14.

    Source Code Review

Audience

This training is ideal for: Software/Web developers, PL/SQL developers, Penetration Testers, Security Auditors, Administrators, DBAs and Security Managers.

Prior pentest experience is not a strict requirement, however, some knowledge of Cloud Services and a familiarity with common command line syntax will be greatly beneficial.

Pre-requisites

The only requirement for this class is that you bring your own laptop with the latest version of Java (JDK) installed. Attendees will be provided access to our online lab which has been built on the latest .NET ASPX framework. You’ll be provided with all the tools and materials required during the class.

Book your training

We provide training directly (remote or in person) and also work with a range of training partners in different locations around the globe for classroom or remote training. Please contact us with details of your requirement and we will recommend the best route to access our amazing training.

The course can also be booked directly through our accredited training partners.

Other courses part of our ethical Hacking Training

Lab-based training - written by BlackHat trainers.

Classes are ideal for those preparing for CREST CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST and other similar industry certifications, as well as those who perform penetration testing on infrastructure / web applications as a day job and wish to add to their existing skill set.