Trainer Name: Gaurav Nayak , Mihir Doshi

Title: Now You Code SECURE - Secure Code Training

Duration: 4 days (4 hrs each day)

Dates: Dec. 19, 2022 To Dec. 22, 2022

Time: 10 a.m. To 2 p.m. IST

Training Objectives

Lack of secure coding may lead to security vulnerabilities keeping the organization and its customers at risk.

For a long, Java has been widespread and has been popular to develop web applications. Due to its popularity, there has been a huge spike in its community, 3rd party modules/libraries, and frameworks. There are many reasons to learn secure coding and one of the reasons can be “Directly using solutions from the community” or “usage of 3rd party modules” without knowing about security.

This training tends to provide a guide to make the code secure and guard against security vulnerabilities. This training will help you in:

  • Understanding of secure coding best practices
  • Understanding security vulnerabilities and their impact
  • Understanding of common mistakes at the code level
  • Guidance to fix the vulnerabilities by secure coding

Training level: Intermediate; Advanced

Training Outlines

Day 1:

  • Why need Application Security?
  • Reactive vs Proactive approach
  • Web OWASP Top 10 2021
  • SQL Injection
  • Cross-Site Scripting

Day 2:

  • External XML Entity
  • Command Injection
  • Regular Expression Injection
  • CSRF
  • Open Redirection
  • Insecure File Upload

Day 3:

  • Access Control Flaw
  • Insecure Deserialization
  • Insecure Session Management
  • LFI vs RFI
  • SSRFBusiness Logic

Day 4:

  • SSTI
  • Insecure Communication
  • ClickJacking
  • Error Handling
  • Best Practices
  • Input Validation
  • User Authentication
  • Security headers
  • Password Handling
  • Logging and Auditing

Who Should Attend?

  • Security Analysts/Consultants
  • Security enthusiasts
  • Java application developers

What to Bring?

  • Laptop with good configuration and admin privilege
  • Virtual Box or VMware workstation
  • Burp Suite Community or Pro

Training Prerequisite

  • Basic programming knowledge
  • Basic understanding of Java (Servlet/jsp)
  • Basic knowledge of burp suite (Good to have)
  • Willingness to learn something new

What attendees will be provided?

  • All training content
  • And the vulnerable application to practice at home

What to Expect?

  • Developers can expect to code securely
  • Security analysts/consultants can expect to learn secure code review
  • Hands-on exercise on a real-life application

What not to expect?

  • Change the vulnerable source code and fix the vulnerability in training (we can discuss & explain the solutions)
  • DevSecOps Concepts
  • Becoming a zero to hero in 4 days of training. This training provides you with the path and guidance needed to walk the path. attendees will have to walk the path on their own.

About the Trainer

Gaurav Nayak is an information security professional having 9+ years of corporate experience with expertise in web, mobile, secure source code review, and development. He has delivered training at Nullcon in the past. He is active in open security communities like null, and OWASP and in the past, he has also given talks at such local communities. In his spare time, he loves to learn about binary exploitation and trekking.

Mihir Doshi is an information security enthusiast having 7+ years of corporate experience. His expertise is in web, and mobile application security assessment, and development. He has delivered training at Nullcon in the past. He is also an active member in open security communities like null, and OWASP, and in the past, he has also given talks at such local communities. He gives his spare time learning IoT security, popping up machines on hack the box, and playing games.