Web Security for Developers
The web is a great software delivery platform, making your software available to users around the world with zero installation and easily deployed updates. Unfortunately, it also exposes you to an army of adversaries - some human, some bot - who have darker goals: to cause loss to your data or reputation, subvert your resources for their own gain or attack your user base.
The challenges of making a secure website are very big today. Today's developers do not always know the security aspects of secure development. The problem is also to keep up with the rapid development. More security holes also arise with the trend that we are adding more and more functionality to browsers.
The business risks and costs once an intrusion occurs are very large, and we developers have the responsibility to plan ahead and prevent this. Therefore, it is important that we have a good foundation to stand on when it comes to safety and risks.
Life on the Internet is not so harmonious. Unfortunately, you are exposed around the clock to an army of enemies, some people, some robots, with darker targets. Can be to either cause loss of information or reputation, use your resources for personal gain or attack your user base.
What you will learn
Introduction
-
The reality
-
What might an attacker want?
-
Social Engineering
HTTPS
-
What's wrong with HTTP?
-
Man-in-the-middle attacks
-
HTTP Strict Transport Security header
Certificates
-
Certificate failures
-
Certificate pinning
-
Lifetime
-
Let's Encrypt
Encoding
-
Character encoding
-
Unicode
-
Encoding (UTF-8, UTF-16...)
Cross Site Scripting
-
Stored XSS
-
Reflected XSS
-
DOM Based XSS
-
XSS Preventions
Content Security Policy
-
Headers and directives
-
CSP Reporting
-
CSP Nonce
-
CSP Validation
Cross site request forgery (CSRF)
-
CSRF Attack
-
CSRF Prevention
Securing your cookies
-
Cookie security
-
Same-site cookies
CORS
-
Origins
-
Same-Origin Policy
-
Cross-Origin Resource Sharing
Injections
-
SQL Injections
-
Blind injection attacks
-
File path injections
Authentication & Authorization
-
Securing the login form
-
Securing the session
-
Multi-factor authentication
Denial-of-Service (DoS) attacks
-
Network attacks
-
Application level attacks
-
XML DoS attacks
-
Decompression bombs
Password management
-
Secure password storage
-
Hashing
-
Salt and pepper
-
Password spraying
Information leakage
-
Error action
-
Source control leaks
-
Response header leakage
-
Search engine leakage
Securing our dependencies
-
Supply-chain attacks
-
Subresource Integrity
Hack your self
-
Hack your own systems
-
Tools
-
Approach
Target audience
This course is aimed at web developers.
Prerequisites
You should have basic web development experience.
20 900 SEK ex moms
NEXT COURSE
-
29 - 30 May 2023
- The course is given remote or in classroom
- Contact us for upcoming courses
- If you are a team there is an opportunity for content adaptation based on your needs
Duration: 2 days, or 4 half days
Level: Beginning
Language: English/Swedish
Course code: T175
REFERENCES
Eye opening! There is a lot that needs to be protected! Tore is an educational course leader and I learned a lot.
PARTICIPANT
"I think the line ""for developers"" is kind of misleading; Not in the way that it's not good for developers, but more that it's most probably a great course for many more roles, product managers, verifiers, project managers and so on."
PARTICIPANT
Web security for developers provides many new valuable insights and should be a minimum for everyone in web development.
PARTICIPANT
Incredibly good course and incredibly good teacher. Maybe a little too much (how can it now be something negative ... but sometimes it got a little full in the head and you started to mix things you learned). 3 days would not hurt. Sometimes a little stressful and not really time for discussions. But, would I like to opt out of any part? Answer No!
PARTICIPANT