SlideShare ist ein Scribd-Unternehmen logo

Secure Application Development Training

P
pivotalsecurity
TechnologieBildung
1 von 5
Downloaden Sie, um offline zu lesen
Secure Web Application Development Training w w w . p i v o t a l s e c u r i t y . c o m Pivotal Security LLC 14006 SE 6th ST #9 Bellevue, WA 98007 USA Phone (425) 686-9695 Email info@pivotalsecurity.com Page 1 of 5
Introduction Every year, billions of dollars are wasted in responding to information security related incidents. What if these incidents can be prevented at first place? Most of the vulnerabilities in software can be prevented by getting to know how to design and develop secure software. In addition to providing security consulting services like code review, threat modeling and penetration testing, Pivotal Security also provides secure application development training. Why Pivotal Security training? In contrast to “canned” approach, Pivotal Security customizes security training for your development team. We first work with you to understand various aspects of application development like methodology (waterfall, agile etc), complier and tools, testing and release process etc and then prepare a custom plan for training. This makes our training precise and provides much more value to attendees. Structure of the course  Understanding different types of vulnerabilities  Understanding solutions and platform (.NET, Java etc) features for remediation  Demos of vulnerabilities and countermeasures  Hands on project and Q&A What attendees say A fabulous Your session was presentation on Web very good. time. App Security. “I’m inspired” It’s really good I would like to express my thanks for such wonderful knowledge It was very useful. Pivotal Security | Introduction 2
Course Content Fundamentals  Understand Common Attack Patterns (OWASP Top 10 for 2010) o A1: Injection o A2: Cross-Site Scripting (XSS) o A3: Broken Authentication and Session Management o A4: Insecure Direct Object References o A5: Cross-Site Request Forgery (CSRF) o A6: Security Misconfiguration o A7: Insecure Cryptographic Storage o A8: Failure to Restrict URL Access o A9: Insufficient Transport Layer Protection o A10: Unvalidated Redirects and Forwards Authentication  Basics and how to design secure authentication protocols  How to securely design “Forgot Password” (credential retrieval) functionality  Understand different forms/types of authentication (Kerberos, NLM etc)  Securely storing and managing credentials  Authentication Design Guidelines  Session management threats and guidelines Authorization  Principle of Least Privilege  Resource Based Authorization  Role Based Authorization  Resource Access Patterns o Trusted Sub-system model o Impersonation / Delegation model Cryptography  Symmetric Encryption  Asymmetric Encryption  Hashing  Applications of Cryptography o HMAC o Digital Signatures o SSL  Secure confidential / critical data o At rest: In a database, on a file-system Pivotal Security | Course Content 3
o In transit: Over the network (internet, intranet etc)  Secure storage of application configuration data Input Handling  Input Validation Principles  Consequences of Inappropriate Input Handling (demo and remediation techniques) o Cross-Site Scripting (XSS) o SQL Injection o One-Click Attacks o XML and XPath Injection o LDAP Injection o Response Splitting o Buffer overflows o Canonicalization issues o Unsafe file upload / creation o And many more… Error and Exception Handling  Exception management Threats  Exception management guidelines Logging and Auditing  Logging  Auditing  What / When and Where to log Pivotal Security | Course Content 4
About Us Pivotal Security offers Information Security consulting and training services. We operate from Seattle, WA in USA and from Hyderabad, AP in India. Pivotal Security’s core team members have experience working at MNC’s including Microsoft and Honeywell and have provided consulting to government and private companies. The Core Team Gaurav Kumar, CISSP Founder Gaurav has over 7 years of experience in Information Security. He has worked with Honeywell Labs (Bangalore, India) where he was Senior Application Security Engineer responsible for securing Honeywell’s mission critical applications. During his term, he co- authored a patent on wireless security, received several awards like Technical Excellence and Team Excellence award and was certified Green Belt in Six Sigma processes. He later on worked with Microsoft (Hyderabad, India) as Security Consultant where he provided application security services to Microsoft Enterprise Customers in US and Asia. He was a guest trainer for OWASP 2008 New Delhi Conference and Training where he delivered training on how to develop secure .NET applications. For his contributions, he received Services Rock Star award by Microsoft. He moved to Redmond, USA to work at Microsoft headquarters as IT Audit Manager where was responsible for auditing IT systems of Microsoft and its subsidiaries worldwide. In June 2010, he founded Pivotal Security LLC to provide information security consulting services. Sachin Rawat, CISSP Partner (India operations) Sachin Rawat is an Information Security expert and B.Tech. (CSE) from IIIT-Hyderabad. He has been among top 10 winners out of 50,000 participants in a security competition organised by Microsoft. Prior to founding Viantra, he worked with ACE Security Team , a premier Information Security team at Microsoft where provided application and infrastructure security assessment and consulting services to business units within Microsoft and its clients. His responsibilities included: He has reviewed over 70 Line-Of-Business applications built across Microsoft and has delivered security trainings to 700+ Microsoft FTEs over multiple sessions. He has also delivered training sessions to 1100+ participants from Government and IT Companies across various training events. Pivotal Security | About Us 5

Empfohlen

The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David RookSecurity B-Sides
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 

Empfohlen

The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David RookSecurity B-Sides
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
How to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeHow to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeMercury Solutions Limited
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
t r
t rt r
t relectronicmingle01
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
My CV-Jan-2016
My CV-Jan-2016My CV-Jan-2016
My CV-Jan-2016Adel Zayed
 
Skills For Career In Security
Skills For Career In SecuritySkills For Career In Security
Skills For Career In SecurityPrasanna V
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
Sanjoy_Debnath_Resume
Sanjoy_Debnath_ResumeSanjoy_Debnath_Resume
Sanjoy_Debnath_ResumeSanjoy Debnath
 
Sanjoy debnath resume
Sanjoy debnath resumeSanjoy debnath resume
Sanjoy debnath resumeSanjoy Debnath
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?ColdFusionConference
 

Weitere ähnliche Inhalte

Was ist angesagt?

Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
How to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeHow to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeMercury Solutions Limited
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
My CV-Jan-2016
My CV-Jan-2016My CV-Jan-2016
My CV-Jan-2016Adel Zayed
 
Skills For Career In Security
Skills For Career In SecuritySkills For Career In Security
Skills For Career In SecurityPrasanna V
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 

Was ist angesagt? (20)

Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
How to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeHow to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First Time
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
t r
t rt r
t r
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
My CV-Jan-2016
My CV-Jan-2016My CV-Jan-2016
My CV-Jan-2016
 
Skills For Career In Security
Skills For Career In SecuritySkills For Career In Security
Skills For Career In Security
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
 
Sanjoy_Debnath_Resume
Sanjoy_Debnath_ResumeSanjoy_Debnath_Resume
Sanjoy_Debnath_Resume
 
Sanjoy debnath resume
Sanjoy debnath resumeSanjoy debnath resume
Sanjoy debnath resume
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 

Ähnlich wie Secure Application Development Training

Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst Lucideus Tech
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application SecurityOpSource
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application SecurityOpSource
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slidesdfgrumpy
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
 

Ähnlich wie Secure Application Development Training (20)

Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst
 
Infosec for web apps 2014_18november2014
Infosec for web apps 2014_18november2014Infosec for web apps 2014_18november2014
Infosec for web apps 2014_18november2014
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unc charlotte prezo2016
Unc charlotte prezo2016Unc charlotte prezo2016
Unc charlotte prezo2016
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application Security
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application Security
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Mohammed Alghenaim CV
Mohammed Alghenaim CVMohammed Alghenaim CV
Mohammed Alghenaim CV
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slides
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 

Kürzlich hochgeladen

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Kürzlich hochgeladen (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Secure Application Development Training

  • 1. Secure Web Application Development Training w w w . p i v o t a l s e c u r i t y . c o m Pivotal Security LLC 14006 SE 6th ST #9 Bellevue, WA 98007 USA Phone (425) 686-9695 Email info@pivotalsecurity.com Page 1 of 5
  • 2. Introduction Every year, billions of dollars are wasted in responding to information security related incidents. What if these incidents can be prevented at first place? Most of the vulnerabilities in software can be prevented by getting to know how to design and develop secure software. In addition to providing security consulting services like code review, threat modeling and penetration testing, Pivotal Security also provides secure application development training. Why Pivotal Security training? In contrast to “canned” approach, Pivotal Security customizes security training for your development team. We first work with you to understand various aspects of application development like methodology (waterfall, agile etc), complier and tools, testing and release process etc and then prepare a custom plan for training. This makes our training precise and provides much more value to attendees. Structure of the course  Understanding different types of vulnerabilities  Understanding solutions and platform (.NET, Java etc) features for remediation  Demos of vulnerabilities and countermeasures  Hands on project and Q&A What attendees say A fabulous Your session was presentation on Web very good. time. App Security. “I’m inspired” It’s really good I would like to express my thanks for such wonderful knowledge It was very useful. Pivotal Security | Introduction 2
  • 3. Course Content Fundamentals  Understand Common Attack Patterns (OWASP Top 10 for 2010) o A1: Injection o A2: Cross-Site Scripting (XSS) o A3: Broken Authentication and Session Management o A4: Insecure Direct Object References o A5: Cross-Site Request Forgery (CSRF) o A6: Security Misconfiguration o A7: Insecure Cryptographic Storage o A8: Failure to Restrict URL Access o A9: Insufficient Transport Layer Protection o A10: Unvalidated Redirects and Forwards Authentication  Basics and how to design secure authentication protocols  How to securely design “Forgot Password” (credential retrieval) functionality  Understand different forms/types of authentication (Kerberos, NLM etc)  Securely storing and managing credentials  Authentication Design Guidelines  Session management threats and guidelines Authorization  Principle of Least Privilege  Resource Based Authorization  Role Based Authorization  Resource Access Patterns o Trusted Sub-system model o Impersonation / Delegation model Cryptography  Symmetric Encryption  Asymmetric Encryption  Hashing  Applications of Cryptography o HMAC o Digital Signatures o SSL  Secure confidential / critical data o At rest: In a database, on a file-system Pivotal Security | Course Content 3
  • 4. o In transit: Over the network (internet, intranet etc)  Secure storage of application configuration data Input Handling  Input Validation Principles  Consequences of Inappropriate Input Handling (demo and remediation techniques) o Cross-Site Scripting (XSS) o SQL Injection o One-Click Attacks o XML and XPath Injection o LDAP Injection o Response Splitting o Buffer overflows o Canonicalization issues o Unsafe file upload / creation o And many more… Error and Exception Handling  Exception management Threats  Exception management guidelines Logging and Auditing  Logging  Auditing  What / When and Where to log Pivotal Security | Course Content 4
  • 5. About Us Pivotal Security offers Information Security consulting and training services. We operate from Seattle, WA in USA and from Hyderabad, AP in India. Pivotal Security’s core team members have experience working at MNC’s including Microsoft and Honeywell and have provided consulting to government and private companies. The Core Team Gaurav Kumar, CISSP Founder Gaurav has over 7 years of experience in Information Security. He has worked with Honeywell Labs (Bangalore, India) where he was Senior Application Security Engineer responsible for securing Honeywell’s mission critical applications. During his term, he co- authored a patent on wireless security, received several awards like Technical Excellence and Team Excellence award and was certified Green Belt in Six Sigma processes. He later on worked with Microsoft (Hyderabad, India) as Security Consultant where he provided application security services to Microsoft Enterprise Customers in US and Asia. He was a guest trainer for OWASP 2008 New Delhi Conference and Training where he delivered training on how to develop secure .NET applications. For his contributions, he received Services Rock Star award by Microsoft. He moved to Redmond, USA to work at Microsoft headquarters as IT Audit Manager where was responsible for auditing IT systems of Microsoft and its subsidiaries worldwide. In June 2010, he founded Pivotal Security LLC to provide information security consulting services. Sachin Rawat, CISSP Partner (India operations) Sachin Rawat is an Information Security expert and B.Tech. (CSE) from IIIT-Hyderabad. He has been among top 10 winners out of 50,000 participants in a security competition organised by Microsoft. Prior to founding Viantra, he worked with ACE Security Team , a premier Information Security team at Microsoft where provided application and infrastructure security assessment and consulting services to business units within Microsoft and its clients. His responsibilities included: He has reviewed over 70 Line-Of-Business applications built across Microsoft and has delivered security trainings to 700+ Microsoft FTEs over multiple sessions. He has also delivered training sessions to 1100+ participants from Government and IT Companies across various training events. Pivotal Security | About Us 5