The Course

Cybersecurity training for web developers

Below you’ll find the content of our course. We aim to deliver this course as hands-on as possible as we believe that’s the best way to learn and to keep you engaged. On each stage of the course, we’ll discuss real-world examples of the attacks and also have access to a simulated vulnerable website so you can try the attack yourself, so you fully understand it. The course isn’t language specific so no matter if you’re a PHP, Ruby, or C# dev or your frontend or backend you’ll find this course relevant and easy to understand. You’ll need to bring a laptop that is wifi capable and an up to date browser.

Introductions

The start of the course will begin with introductions to the group and discussing our backgrounds in web development. After this, we will confirm a brief outline of the course.

Know Your Enemy

We’ll discuss what’s the likelihood of you or your business being targeted and who is it that’s likely to hack into your website and what do they want?

What is OWASP top 10

We’ll discuss what OWASP is and how they help the cybersecurity and web developer community by keeping on top of the latest hacking trends.

1) Injection

Learn how attackers can append or rewrite your backend queries to services such as databases, LDAP and system calls to execute unintended commands and access data.

2) Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

3) Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data, such as financial and healthcare. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

4) External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

5) Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

6) Security Misconfiguration

Security misconfiguration is commonly a result of insecure
default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must
be patched and upgraded in a timely fashion.

7) Cross-Site Scripting (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

8) Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not
result in remote code execution, they can be used to perform attacks, including replay attacks,
injection attacks, and privilege escalation attacks.

9) Using Components With Known Vulnerabilities

One of the best things about software development is when someone has already done the job for us with frameworks, libraries and plugins. The only issue is that these are a high target for attackers.

10) Insufficient Logging & Monitoring

A worrying factor is that on average it takes 206 days for a business to discover it’s been hacked. With sufficient logging and monitoring, you could detect when someone is attacking your website in real time.

Other Vulnerabilities

As well as the OWASP top 10 we’ll discuss a few other areas worth talking about such as file inclusion exploits, Cross-Site Request Forgery, URL Redirection and more.

Hack The Box Challenge

After all the learning this is where we get to have some fun. We’ve created a vulnerable website and using your new found skills you will be able to pick out the vulnerabilities. The first person to crack all the tasks will win a cash prize and appear on our leaderboard.

Questions

This is the time you can ask your trainer any extra questions or maybe confirm any points on the course. We find this an excellent time to discuss how to implement what you’ve learnt into a live project your currently working on.

Thanks and Goodbye

It’s time to leave and go and put what you’ve learnt into practice. You’ll be awarded a certificate, a Dev Secure hoodie and also a link to your unique profile on iam.devsecure.org which you can put on your website or CV to assure future clients or employers that you’ve had security training.

Coming soon…

Our training course isn’t quite ready yet, but if you’re interested please drop us a message below and we will get back to you once it’s finished.