Internet Security Awareness Training Manchester

Web Security for Coders

Internet Security Awareness Training Manchester – Web applications have a critical security role, mediating the link between the dangerous open Internet, and high-value internal
systems. Even with strong encryption, high-end firewalls and effective SecOps, just one coding flaw
can leave your systems vulnerable.
This one-day course covers the fundamentals of secure coding for the web. It gives developers the
knowledge and practical experience they need to avoid introducing vulnerabilities like SQL injection
and cross-site scripting into your codebase. The four parts of the course are:

Common vulnerabilities – Attack and defence

Students are provided with a virtual machine image to run on their laptop, which contains hacking
and development tools, and a web application deliberately crafted to contain security flaws. The
instructor demonstrates attacks a flaw just like a hacker would. Students then try this themselves,
gaining a practical understanding of the weakness. They then inspect the code, identify the insecure
coding practice, and modify this to fix the vulnerability. Then the hacking attack is tried again, to
confirm the fix. The session covers: SQL injection, Cross-site scripting, Executable file upload, and
XML external entity injection, and more if time permits.

Access control

This is a more informational session, where best practices around authentication, password
management, session tracking and authorization are explained. Interaction is highly encouraged,
with students able to ask questions to understand how theory applies to applications they work on.
There are also practicals covering: Cross-site request forgery, Forced browsing and Parameter
tampering.

Modern web security features

Another informational session, this covers the security features in modern web browsers and
frameworks, and how these can be leveraged for maximum effectiveness. This includes: TLS
encryption, HTTP strict transport security, Content security policy, Clickjacking, Cross-origin resource
sharing, Subresource integrity and Captcha. There are practicals to teach students how to develop a
strong Content security policy.

Attacking incomplete defences

This is a practical session, following the format of the first session. It builds on the earlier session by
showing how incomplete fixes to vulnerabilities can be attacked by using more sophisticated
payloads, and introduces other vulnerability classes, including Path traversal and Insecure
deserialization.

The Instructor

Paul has worked in cybersecurity since 2002, as a penetration tester, consultant and ISO 27001
security manager. Prior to joining Convergent he has worked as a consultant for a range of
industries, covering finance, technology, utilities, engineering, transport, manufacturing, new media
and charities. He has held pen-testing qualifications from SANS, Crest (application) and Tiger
(infrastructure) and worked as a CHECK Team Leader with SC clearance. He has helped many clients
implement application coding security into agile development lifecycles, including the delivery of
secure coding training to developers.