Price 8,232 ILS

DURATION 4 Days

Course Overview

Most of the focus when dealing with security has been on securing the network infrastructure (firewalls, VPNs etc.) and the server OS (e.g. patch management systems). However, in the last few years the focus has shifted to the application layer. This is because infrastructure (network and OS) security has improved significantly while applications have remained vulnerable. The application layer has become the main target of attack, while secure applications have become synonymous with higher quality.
The course covers the different aspects of application security including authentication, authorization, auditing, confidentiality and data-integrity, as well as the different technologies addressing these requirements. It includes the risk analysis model and explains how to use it to analyze the risks associated with application vulnerabilities.
Participants learn how to build secure applications: starting from including security in the application development life cycle and continuing to secure coding practices and security testing tools.

Who should attend?

Application developers, software system engineers, development engineers, system architects and information security experts

Prerequisite:

Experience in application development

Course Outline:

1. Introduction
• The risks caused by unsecure applications: application vulnerabilities and associated threats
• Examples of application layer attacks and associated risks
• Security infrastructure and how it helps to protect the application

2. Encryption and hash functions
• Ensure data confidentiality and data integrity
• Symmetric encryption
– Stream encryption algorithms
– Block encryption algorithms
• Asymmetric encryption
• Message hash functions and HMAC
• Digital signatures and digital certificates
• How to secure the data (e.g. masking, encryption, etc.)
• Crypto++ examples
• Confidentiality best practices

3. Authentication and Identity Management
• Passwords including password management
• Challenge-response authentication and tokens
• One-time passwords (OTP) and OTP tokens
• Smart cards and public key technology
• Password storage and management
• Brute force and dictionary attacks
• Biometric authentication
• Two factor authentication
• Ticket based authentication
• Digital certificates
• PKI, public key infrastructure
• PAM, pluggable authentication modules
• RADIUS
• Identity management

4. Application Layer Vulnerabilities
• Coding vulnerabilities
– Input validation
– Injection attacks
– Application layer DoS
• Business logic vulnerabilities

5. Input Validation
• Server side validation
• Client side validation
• Input validation using positive security logic
• Input validation using negative security logic
• Canonicalization and evasion
• Injection attacks and countermeasures

6. Authorization and Access Control
• The principle of least privileges
• Access control matrix
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role Based Access Control (RBAC)
• Distributed enforcement model with centralized management

7. Auditing and Logging
• The need
• Central logging
• Auditing and log analysis

8. Risk Analysis and Threats
• Vulnerability, threat and risk
• Risk analysis and risk mitigation
• Security risks
• Identifying threats
• STRIDE threat model and threat modeling
• DREAD and risk management
• Responding to threats (risk mitigation)

9. SDLC – Secure Development Life Cycle
• The Methodology
• Integrating security requirements
• Secure design
• Secure coding
• Security testing
• Security in deployment, support and maintenance
• Security policy management

10. Secure Design
• Guidelines to designing secure applications
• Reducing the attack surface
• Identifying trusts and secrets

11. Threat Modeling and SDLC Tools
• Microsoft threat analysis and modeling tool
• Pattern and practice check lists
• Creating a threat model

12. Application Layer Vulnerabilities
• Business logic vulnerabilities
• Coding vulnerabilities
• Web application vulnerabilities
– Injection attacks
– Buffer overflow
– XSS, cross site scripting
– XSRF, cross site request forgery
– Application layer DoS and DDoS

13. Web Services Security Standards
• XML encryption
• XML digital signatures
• SAML
• XCAML
• Web service security

13. Secure Communication Protocols
• SSL
• IPSec

14. Summary