PRE-REQUISITE

Secure source code review is a highly effective process of identifying vulnerabilities in software. This process requires a more in-depth analysis of an application in order to find the security flaws.

This training will be hands-on so you need to bring your own laptop to perform different types of attacks on web based applications.

• → Windows/Linux/OsX Installed machine
• → RAM – 8GB
• → Free space in your machine – 10GB
• → Installed VMware Player or Virtual Box in your machine

WHO SHOULD ATTEND

• →Those having basic knowledge in Application security .
• → Those having basic development background.
• → Those who want to perform a manual secure source code review.
• → Those who want to secure their developed applications.
• → Those who want to learn secure code practices.
• → Those who want to learn various source code review methodologies and approaches.

WHAT TO EXPECT

• →Exposure to different tools used for performing secure source code review.
• → Demo applications to perform secure source code review
• → Secure coding CTF challenges with hands on

WHAT NOT TO EXPECT

Any professional tools

DURATION

2 days

COURSE CONTENT (ToC)

The course covers relevant Application security issues to subsequently demonstrate how to design and develop secure code for an application

• DAY 1 - Coding Best Practices
  • → Module 1: Introduction to Secure Code Best Practices (SCBP)
    • → What is SCBP
    • → Need for SCBP
  • → Module 2: Insecure Design Flaws
    • → Secure Design Controls based on the Architecture
    • → CIA policy role in determining the risk
    • → Demo
  • → Module 3: Parameter manipulation attack and Defenses
    • → Bypassing client-side validation
    • → Variable manipulation attacks
    • → Input validation types
    • → Black list vs White list filters
    • → File Upload attacks and best practices
    • → Insecure Direct Object References
    • → Best practices and guidelines to avoid these Attacks
    • → Demo
  • → Module 4: Injection
    • → SQL injection
    • → Exploit CSV based export features using formula injection
    • → XML External Entity (XXE) Injection
    • → GraphQL Injection
    • → Demo
  • → Module 5: Client and Server Side Javascript Attacks
    • → Reflected, Stored and DOM based XSS
    • → Best practices and guidelines to avoid Cross Site Scripting Attack
    • → Demo
  • → Module 6: Cryptography
    • → Encryption & Decryption
    • → Encoding & Decoding
    • → Hashing
    • → Salted hash technique
    • → Storage of critical information in backend side
    • → Demo

• DAY 2 - Coding Best Practices
  • → Module 1: Broken Access Control
    • → Best practices to manage session
    • → Proper cookies attributes set
    • → Proper implementation of OTP & CAPTCHA
    • → Demo
  • → Module 2: Error Handling and Logging
    • → Proper implementation of log
    • → Proper error handling
    • → Apache Log4j Vulnerabilities in Java
    • → Demo
  • → Module 3: Code Quality Standards and Best Practices
    • → Language specific security misconfiguration
    • → Hard coded information
    • → Critical information in comment
    • → Client side hardcoded information
    • → Best practices to check unused code
    • → Demo
  • → Module 4: Cross Site Request Forgery (CSRF)
    • → Demo
  • → Module 5: Service Side request Forgery (SSRF)
  • → Module 6: Hands-on practice on secure source code review for attendees