1. Secure Web Application Development Training
w w w . p i v o t a l s e c u r i t y . c o m
Pivotal Security LLC
14006 SE 6th ST #9
Bellevue, WA 98007
USA
Phone (425) 686-9695
Email info@pivotalsecurity.com
Page 1 of 5
2. Introduction
Every year, billions of dollars are wasted in responding to information security related
incidents. What if these incidents can be prevented at first place? Most of the vulnerabilities
in software can be prevented by getting to know how to design and develop secure
software. In addition to providing security consulting services like code review, threat
modeling and penetration testing, Pivotal Security also provides secure application
development training.
Why Pivotal Security training?
In contrast to “canned” approach, Pivotal Security customizes security training for your
development team. We first work with you to understand various aspects of application
development like methodology (waterfall, agile etc), complier and tools, testing and release
process etc and then prepare a custom plan for training. This makes our training precise and
provides much more value to attendees.
Structure of the course
Understanding different types of vulnerabilities
Understanding solutions and platform (.NET, Java etc) features for remediation
Demos of vulnerabilities and countermeasures
Hands on project and Q&A
What attendees say
A fabulous Your session was
presentation on Web very good. time.
App Security.
“I’m inspired” It’s really good
I would like to
express my thanks
for such wonderful
knowledge It was very
useful.
Pivotal Security | Introduction 2
3. Course Content
Fundamentals
Understand Common Attack Patterns (OWASP Top 10 for 2010)
o A1: Injection
o A2: Cross-Site Scripting (XSS)
o A3: Broken Authentication and Session Management
o A4: Insecure Direct Object References
o A5: Cross-Site Request Forgery (CSRF)
o A6: Security Misconfiguration
o A7: Insecure Cryptographic Storage
o A8: Failure to Restrict URL Access
o A9: Insufficient Transport Layer Protection
o A10: Unvalidated Redirects and Forwards
Authentication
Basics and how to design secure authentication protocols
How to securely design “Forgot Password” (credential retrieval) functionality
Understand different forms/types of authentication (Kerberos, NLM etc)
Securely storing and managing credentials
Authentication Design Guidelines
Session management threats and guidelines
Authorization
Principle of Least Privilege
Resource Based Authorization
Role Based Authorization
Resource Access Patterns
o Trusted Sub-system model
o Impersonation / Delegation model
Cryptography
Symmetric Encryption
Asymmetric Encryption
Hashing
Applications of Cryptography
o HMAC
o Digital Signatures
o SSL
Secure confidential / critical data
o At rest: In a database, on a file-system
Pivotal Security | Course Content 3
4. o In transit: Over the network (internet, intranet etc)
Secure storage of application configuration data
Input Handling
Input Validation Principles
Consequences of Inappropriate Input Handling (demo and remediation techniques)
o Cross-Site Scripting (XSS)
o SQL Injection
o One-Click Attacks
o XML and XPath Injection
o LDAP Injection
o Response Splitting
o Buffer overflows
o Canonicalization issues
o Unsafe file upload / creation
o And many more…
Error and Exception Handling
Exception management Threats
Exception management guidelines
Logging and Auditing
Logging
Auditing
What / When and Where to log
Pivotal Security | Course Content 4
5. About Us
Pivotal Security offers Information Security consulting and training services. We operate
from Seattle, WA in USA and from Hyderabad, AP in India. Pivotal Security’s core team
members have experience working at MNC’s including Microsoft and Honeywell and have
provided consulting to government and private companies.
The Core Team
Gaurav Kumar, CISSP
Founder
Gaurav has over 7 years of experience in Information Security. He has worked with
Honeywell Labs (Bangalore, India) where he was Senior Application Security Engineer
responsible for securing Honeywell’s mission critical applications. During his term, he co-
authored a patent on wireless security, received several awards like Technical Excellence
and Team Excellence award and was certified Green Belt in Six Sigma processes. He later on
worked with Microsoft (Hyderabad, India) as Security Consultant where he provided
application security services to Microsoft Enterprise Customers in US and Asia. He was a
guest trainer for OWASP 2008 New Delhi Conference and Training where he delivered
training on how to develop secure .NET applications. For his contributions, he received
Services Rock Star award by Microsoft. He moved to Redmond, USA to work at Microsoft
headquarters as IT Audit Manager where was responsible for auditing IT systems of
Microsoft and its subsidiaries worldwide. In June 2010, he founded Pivotal Security LLC to
provide information security consulting services.
Sachin Rawat, CISSP
Partner (India operations)
Sachin Rawat is an Information Security expert and B.Tech. (CSE) from IIIT-Hyderabad. He
has been among top 10 winners out of 50,000 participants in a security competition
organised by Microsoft. Prior to founding Viantra, he worked with ACE Security Team , a
premier Information Security team at Microsoft where provided application and
infrastructure security assessment and consulting services to business units within Microsoft
and its clients. His responsibilities included:
He has reviewed over 70 Line-Of-Business applications built across Microsoft and has
delivered security trainings to 700+ Microsoft FTEs over multiple sessions. He has also
delivered training sessions to 1100+ participants from Government and IT Companies across
various training events.
Pivotal Security | About Us 5