Secure code auditing is a highly effective process of identifying vulnerabilities in software. This
process requires a more in-depth analysis of an application in order to find the security flaws.
This comprehensive training will be hands on how to perform secure code auditing,
so you will need to bring your own laptop to perform different types of attacks on web based applications.
Windows/Linux/OsX Installed machine
RAM – 8GB
Free space in your machine – 10GB
Installed VMware Player in your machine
WHO SHOULD ATTEND:
Those who want to perform a manual secure code audit.
Those who have very basic knowledge in OWASP Top 10.
Those who want to build secure applications.
Those having basic development background.
Those who want to learn various source code review methodologies and approaches.
WHAT TO EXPECT:
Exposure to different tools used for performing attacks
J2EE based demo application to perform secure code audit
WHAT NOT TO EXPECT:
Any professional tools
Course Duration: 1 Day
The course covers relevant J2EE based web application issues to subsequently demonstrate how to
design and develop code defenses into an application.
Module 1: Secure Source Code Review(SSCR) Approaches
➢ What is SSCR
➢ Need for SSCR
➢ Different way of doing SSCR
➢ SSCR vs Dynamic application security testing
Module 2: Input Validation
➢ Bypassing client-side validation➢ Variable manipulation attacks
➢ Insecure Direct Object References
➢ File Upload attacks and best practices
➢ Reflected, Stored and DOM based XSS
➢ Proper implementation of OTP & CAPTCHA
➢ Best practices and guidelines to avoid these Attacks
Module 3: Injection
➢ Blind & Second Order SQL injection
➢ CSV based export features using formula injection
Module 4: Error Handling and Logging
➢ Proper implementation of log
➢ Proper error handling
Module 5: Code Quality
➢ Language specific configuration check
➢ Hard coded information
➢ Critical information in comment
➢ Client side hardcoded information
➢ Best practices to cheak unused code
Module 6: Cryptography
➢ Encryption & Decryption
➢ Encoding & Decoding
➢ Salted hash technique
➢ Storage of critical information in backend side
Module 7: XML External Entity (XXE) Attack
Module 8: Cross Site Request Forgery (CSRF)
Manoj Kumar has more than 6 years of experience in the field of Application Security and Secure coding process and a co-founder of h1hakz. He has Developed many Secure Application Projects using different languages and has Code reviewed a wide range ofapplications, from embedded systems to web applications including Retail Banking and E-commerce Application.
Handle: @cysmanojsah, @h1hakz
Ranjith Menon who has more than 8 years of experience. He is an active player on Bug bounty programs and specialized in Web application, Mobile, Cloud and a contributor to the Security Community and co-founder of h1hakz, an open platform for knowledge sharing through webcast series. Also, he has found many vulnerabilities for many organizations. Apart from hacking, he gets time for fitness from his work schedule.
Handle: @ranjith_menon16, @h1hakz
For more information: