SECURE APPLICATION CODING
(SyScan_08_03)
|
Application source code, independent of languages
and platforms, is a major source for vulnerabilities. One of
the CSI surveys on vulnerability distribution suggests that 64%
of the time, a vulnerability crops up due to programming errors
and 36% of the time, due to configuration issues. According to
IBM labs, there is a possibility of at least one security issue
contained in every 1,500 lines of code. To avoid these sort of
security issues one needs to follow sound secure coding and design
principals. It is also imperative to know code review methodologies
and strategies to assess the quality of code before deploying
to the production. The course is designed by the author of "Web
Hacking: Attacks and Defense", “Hacking Web Services” and “Web
2.0 Security – Defending Ajax, RIA and SOA” bringing
his experience in application security and research as part of
curriculum. Secure Coding course for Applications is hands-on
class. The class features real life cases, hands one exercises,
code scanning tools and defense plans. Participants would be
methodically taken down to the source code level and exposed
to the flaws in design and coding practices. The class would
then focus on what are the proper ways of writing secure code
and analyze the code base. This class addresses popular languages
and platforms like VB/C# (.NET), Java(J2EE), PHP, ASP etc.
Class Outline:
| • |
Application security fundamentals: Application evolution,
Layered threats, Threat models, Attack vectors and Hacker’s
perspective. |
| • |
Application infrastructure overview: Protocols (HTTP/SSL),
Tools for analysis, Server layers and Browsers. |
| • |
Application Architecture: Overview to .NET and J2EE application
frameworks, Application layers and components, Resources
and interactions, other languages. |
| • |
Advanced Web Technologies: Ajax, Rich Internet Applications
(RIA) and Web Services. |
| • |
Application attack vectors and detail understanding: SQL
injection, Cross Site Scripting (XSS), Cross Site Request
Forgery (CSRF), Path traversal, Session hijacking, LDAP/XPATH/Command
injection, Buffer overflow, Input validation bypassing, Database
hacks, Ajax exploits, Web Services attack vectors, Decompiling
assemblies and many more. |
|
SHREERAJ SHAH
Blueinfy
|
Shreeraj Shah, B.E., MSCS, MBA, is the founder
of Blueinfy and SecurityExposure, companies that provide application
security and On Demand Scanning services. Prior to founding Blueinfy,
he was founder and board member at Net Square. He also worked
with Foundstone (McAfee), Chase Manhattan Bank and IBM in security
space. He is also the author of popular books like Web 2.0 Security
(Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking:
Attacks and Defense (Addison-Wesley 03). In addition, he has
published several advisories, tools, and whitepapers, and has
presented at numerous conferences including RSA, AusCERT, InfosecWorld
(Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA,
OWASP etc. His articles are regularly published on Securityfocus,
InformIT, DevX, O’reilly, HNS. His work has been quoted
on BBC, Dark Reading, Bank Technology as an expert. Shreeraj
was instrumental in product development, researching new methodologies
and training designs. He has performed several security consulting
assignments in the area of penetration testing, code reviews,
web application assessments, security architecture reviews and
managing projects (Products/Services) |
