Zühlke – Empowering Ideas

Academy

Web Security Workshop

D10145

The best way to learn security is to hack yourself! This course teaches how current web application vulnerabilities work and how to exploit them. With this knowledge, effective countermeasures are discussed and applied.

Subjects that will be discussed:

  • Backend Security (Broken Access Control, SQL Injection, ...)
  • Frontend Security (XSS, CSRF, ...)
  • Secure Development and DevSecOps
Course duration

2 days

Course prerequisites

Participants need a solid basic knowledge of HTML5, JavaScript, and HTTP.

Course overview

This course teaches participants the typical vulnerabilities in modern web applications as well as the tricks of secure web programming. The most common security issues are explained in detail and demonstrated with live sessions. The OWASP Top 10 are an important part of it. 


The new understanding will be applied directly to an insecure web application (OWASP Juice Shop). For this purpose, current security tools such as the OWASP ZAP Attack Proxy or SQLMap are used.


Participants will also learn how to implement countermeasures. The course is deliberately technology-independent and is therefore suitable for any web developer.

Course Agenda
Day 1

The first part of the course focuses on the aspects of server-side security. It alternates between theory, demonstrations, and practical exercises. Participants will be able to attack an application in a protected environment and identify existing vulnerabilities. Common tools are presented, and training is given on how to use them.

Topics covered are:

  • Setup Hacking Lab (OWASP ZAP)
  • Risks and Threats
  • Broken Access Control
  • SQL Injection
  • Authentication, Federated Logins
  • JWT Vulnerabilities
  • Misconfiguration & Known Vulnerabilities
  • Server-Side Request Forgery

 

Day 2

The second day focuses on the client (desktop browser, mobile browser) and participants practice the weak points at the OWASP Juice Shop.

Topics covered are: 

  • XSS (Reflected-, Stored-, Dom-XSS, Mutation-XSS)
  • Same Origin Policy
  • CSRF Attacks
  • CORS & Cookie Security
  • Secure Development (Security Testing Pyramid, Threat Modeling)
  • DevSecOps (Static Analysis, Dependency Checks, Vulnerability Scanner)
     

Secure development and DevSecOps are also new topics covered in the course. Participants will receive practical tips on how to improve security in their own software project.



Day 3 - Fireside Chat (optional)

Approximately two weeks after the course, you will have the opportunity to participate in a 'Fireside Chat'. During this follow-up coaching, the trainers answer open questions and provide valuable tips and suggestions. Participation in the one-hour Fireside Chat is optional and takes place online.

Goals

Participants know the current vulnerabilities of modern web applications (including OWASP Top 10) and can recognize and exploit them. They understand which protective measures exist and how to implement them. Participants also learn about necessary tools to analyze & secure a web application and they can put themselves in the role of a hacker.

Target group

The workshop is aimed at software developers and architects who are involved in web technologies.

Subscribe for public classes

02.11.2022 - 03.11.2022 Zurich

CHF
 
1800.00
  *
The price includes course materials, food for breaks, lunch, and beverages.
Participants need to bring their own Notebook/Laptop.

Members of selected organisations (SwissICT) benefit from discounted rates. Discounts are not cumulative.
-
2  Days
09:00 - 17:00
German
Zürcherstrasse 39j, 8952 Schlieren (Zurich), Switzerland

Ask for a corporate course

You would like to attend this course from another place or at another time? We organise online courses on request, contact us to find out more.

Ask for a course

Show interest in a public course

No public classes available or none of the available dates are convenient for you? Get in touch with us to stay informed about future classes.

Show interest