Detaillierter Kursinhalt
Day 1
- Cyber security basics- What is security?
- Threat and risk
- Cyber security threat types – the CIA triad
- Consequences of insecure software
 
- The OWASP Top Ten 2021- The OWASP Top 10 2021
- A01 – Broken Access Control- Access Control Basics
- Confused deputy
- File upload
- Open redirects and forwards
 
- A02 – Cryptographic Failures- Information exposure
- Cryptography for developers
 
 Day 2- The OWASP Top Ten 2021- A03 - Injection- Input validation
- Injection
- SQL Injection
- SQL Injection best practices
- Parameter manipulation
- Code injection
- Script injection
- Dangerous file inclusion
- HTML injection - Cross-site scripting (XSS)
 
 
- A03 - Injection
 Day 3- A04 - Insecure Design- The STRIDE model of threats
- Secure design principles of Saltzer and Schroeder
- Client-side security
 
- A05 - Security Misconfiguration- Configuration principles
- Server misconfiguration
- ASP.NET and IIS configuration best practices
- Cookie security
- XML entities
 
- A06 - Vulnerable and Outdated Components- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Vulnerability management
 
- A07 - Identification and Authentication Failures- Authentication
- Session management
 
 Day 4- A07 – Identification and Authentication Failures (continued)- Password management
 
- A08 - Software and Data Integrity Failures- Integrity protection
- Subresource integrity
- Insecure deserialization
 
- A09 - Security Logging and Monitoring Failures- Logging and monitoring principles
- Insufficient logging
- Case study - Plaintext passwords at Facebook
- Logging best practices
- Monitoring best practices
 
- A10 - Server-Side Request Forgery (SSRF)- Server-side Request Forgery (SSRF)
- Case study - SSRF and the Capital One breach
 
- Web application security beyond the Top Ten- Denial of service
 
- Wrap Up- Secure coding principles
- And now what?
 
 
