Web application security masterclass in Python

Day 1

• Cyber security basics
  • What is security?
  • Threat and risk
  • Cyber security threat types – the CIA triad
  • Consequences of insecure software
• The OWASP Top Ten 2021
  • The OWASP Top 10 2021
  • A01 – Broken Access Control
    • Access control basics
    • Missing or improper authorization
    • Failure to restrict URL access
    • Lab – Failure to restrict URL access
    • Confused deputy
    • File upload
    • Open redirects and forwards
    • Cross-site Request Forgery (CSRF)
  • A02 – Cryptographic Failures
    • Information exposure
    • Cryptography for developers

Day 2

• A02 – Cryptographic Failures (continued)
  • Cryptography for developers
  • Certificates
  • Transport security
• A03 – Injection
  • Injection principles
  • Injection attacks
  • SQL injection
  • Code injection

Day 3

• A03 – Injection (continued)
  • Input validation
  • HTML injection – Cross-site scripting (XSS)
• A04 – Insecure Design
  • The STRIDE model of threats
  • Secure design principles of Saltzer and Schroeder
  • Client-side security

Day 4

• A05 – Security Misconfiguration
  • Configuration principles
  • Server misconfiguration
  • Python configuration best practices
  • Cookie security
  • XML entities
• A06 – Vulnerable and Outdated Components
  • Using vulnerable components
  • Assessing the environment
  • Hardening
  • Untrusted functionality import
  • Malicious packages in Python
  • Vulnerability management
• A07 – Identification and Authentication Failures
  • Authentication
  • Session management
  • Password management

Day 5

• A08 – Software and Data Integrity Failures
  • Integrity protection
  • Subresource integrity
• A09 – Security Logging and Monitoring Failures
  • Logging and monitoring principles
  • Insufficient logging
  • Case study – Plaintext passwords at Facebook
  • Log forging
  • Lab – Log forging
  • Log forging – best practices
  • Logging best practices
  • Monitoring best practices
  • Firewalls and Web Application Firewalls (WAF)
  • Intrusion detection and prevention
  • Case study – The Marriott Starwood data breach
• A10 – Server-side Request Forgery (SSRF)
  • Server-side Request Forgery (SSRF)
  • Case study – SSRF and the Capital One breach
• Web application security beyond the Top Ten
  • Code quality
  • Denial of service
• Security testing
  • Security testing techniques and tools
    • Code analysis
    • Dynamic analysis
  • Finding specific vulnerabilities
    • Cross-site scripting (XSS)
  • Password auditing
    • Using password cracking tools
    • Lab – Password audit with John the Ripper
  • Proxies and sniffing
    • Proxy servers and sniffers
    • Sniffing – tools and considerations
    • Lab – Using a proxy
• Wrap up
  • Secure coding principles
  • And now what?