M2. Iron-Clad Software Development : How To Build Secure Web Applications

[This is a full day session.]

The major cause of web insecurity is insecure software development practices. This highly intensive and interactive 1-day course provides essential application security training for web application, webservice and mobile software developers and architects. The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API's from various languages and frameworks that provide production quality and scalable security controls. This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications, webservices or mobile applications will benefit.

Prerequisites:

• The participant should be familiar with software development on the web and have a basic understanding of HTML, JavaScript, SQL and basic server-side web development.

Outline:

1. Introduction

2. Authentication Best Practices (2 hours)

   1. Session Management Best Practices

   2. Password Storage Crypto

   3. Forgot Password Secure Workflow

   4. Major Threats Against AuthN Services

3. Input Validation (1 hour)

   1. Regular Expressions

   2. Positive Validation Patterns

4. Injection (1 hour)

   1. Query Parametrization

   2. Advanced SQL Injection Defense

   3. Stored Procedure Defense

   4. Command Injection Defense

5. XSS Defense - Secure UI's (2 hours)

   1. Contextual Output Encoding

   2. HTML Sanitization

   3. JavaScript and JSON secure design

6. Cross Site Request Forgery and Clickjacking (2 hours)

   1. Synchronizer Token Pattern

   2. Stateless CSRF Defense

   3. Framebusting

7. Conclusions and Questions

About the Instructor:

Jim Manico is an author and educator of developer security awareness trainings. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects. Jim is currently working on a book with McGraw-Hill and Oracle-Press on Java Web Security. For more information, see http://www.linkedin.com/in/jmanico.