McCullough & Associates | Training | Consulting

(972) 712-7103

Defensive Coding – Secure Application Development

Take this class

Click here to request this course on a different date.

This class first demonstrates to developers how attackers create strategies to compromise applications. Then, the class demonstrates how .Net, Java, and the Open Web Application Security Project (OWASP) provides developers with the tools to successfully develop applications that are difficult or impossible to hack. This class is rich in hands-on opportunities giving developers a chance to see for themselves how attackers think, how the framework protects the application, as well as where it falls short. Upon completion of this course, students will satisfy section 6.5 of the Payment Card Industry Data Security Standard (PCI DSS).

Audience

This class is for Java or .Net (C#) developers.

Length: 4 Days

Outline

* Hands on lab Common Attacks
  • Injection Flaws *
  • Cross Site Scripting *
  • Cross Site Request Forgery *
  • Malicious File Execution *
  • Security Configuration *
  • Session Hijacking *
  • Encryption *
  • Unsecure Direct Object Reference *
  • Failure to authorize/hidden URLs *
Secure Design
  • Layered Design Concepts
  • Object Layer
  • Persistence Layer
  • Presentation Layer
Countermeasures
  • Validation *
    • Validation Controls
    • Strong Typing
    • Regular Expressions
    • White list
    • Scrubbing
    • Black list
  • Encoding *
  • CAPTCHA *
  • Honey Pots *
  • Avoiding SQL Injection *
    • Parameterized Queries/Prepared Statements
    • Stored Procedures
    • Entity Framework/Hibernate
  • Avoiding Cross Site Request Forgeries
Authorization & Authentication
  • .Net Authentication
  • Basic & Digest
  • Forms *
  • Windows Authentication
  • JAAS and other Java authentication services. *
  • Authorization
  • Password Security *
  • Brute Force attacks
  • Password Resets
  • Secret Questions/Answers
  • SSL
Session Security
  • Session IDs
  • Policies
  • Hijacking/Fixation Attacks *
Framework Architecture
  • Treading
  • Privileges
  • Audits/Logs *
  • Secure Coding
  • Encryption Services
Securing the Runtime Environment *
  • .Net
    • Code Access
    • GAC
    • Strong named Assemblies
    • CLR
    • Security Zones
    • Permissions
    • Security Policy
  • Java
    • TBD