Web application security masterclass in Python (WASECM-PY) – Outline

Detailed Course Outline

Day 1

  • Cyber security basics
    • What is security?
    • Threat and risk
    • Cyber security threat types – the CIA triad
    • Consequences of insecure software
  • The OWASP Top Ten 2021
    • The OWASP Top 10 2021
    • A01 - Broken Access Control
      • Access control basics
      • Missing or improper authorization
      • Failure to restrict URL access
      • Lab – Failure to restrict URL access
      • Confused deputy
      • File upload
      • Open redirects and forwards
      • Cross-site Request Forgery (CSRF)
    • A02 - Cryptographic Failures
      • Information exposure
      • Cryptography for developers

Day 2

  • A02 - Cryptographic Failures (continued)
    • Cryptography for developers
    • Certificates
    • Transport security
  • A03 - Injection
    • Injection principles
    • Injection attacks
    • SQL injection
    • Code injection

Day 3

  • A03 - Injection (continued)
    • Input validation
    • HTML injection - Cross-site scripting (XSS)
  • A04 - Insecure Design
    • The STRIDE model of threats
    • Secure design principles of Saltzer and Schroeder
    • Client-side security

Day 4

  • A05 - Security Misconfiguration
    • Configuration principles
    • Server misconfiguration
    • Python configuration best practices
    • Cookie security
    • XML entities
  • A06 - Vulnerable and Outdated Components
    • Using vulnerable components
    • Assessing the environment
    • Hardening
    • Untrusted functionality import
    • Malicious packages in Python
    • Vulnerability management
  • A07 - Identification and Authentication Failures
    • Authentication
    • Session management
    • Password management

Day 5

  • A08 - Software and Data Integrity Failures
    • Integrity protection
    • Subresource integrity
  • A09 - Security Logging and Monitoring Failures
    • Logging and monitoring principles
    • Insufficient logging
    • Case study – Plaintext passwords at Facebook
    • Log forging
    • Lab – Log forging
    • Log forging – best practices
    • Logging best practices
    • Monitoring best practices
    • Firewalls and Web Application Firewalls (WAF)
    • Intrusion detection and prevention
    • Case study – The Marriott Starwood data breach
  • A10 - Server-side Request Forgery (SSRF)
    • Server-side Request Forgery (SSRF)
    • Case study – SSRF and the Capital One breach
  • Web application security beyond the Top Ten
    • Code quality
    • Denial of service
  • Security testing
    • Security testing techniques and tools
      • Code analysis
      • Dynamic analysis
    • Finding specific vulnerabilities
      • Cross-site scripting (XSS)
    • Password auditing
      • Using password cracking tools
      • Lab – Password audit with John the Ripper
    • Proxies and sniffing
      • Proxy servers and sniffers
      • Sniffing – tools and considerations
      • Lab – Using a proxy
  • Wrap up
    • Secure coding principles
    • And now what?