Web application security masterclass in Python

Day 1

• Cyber security basics
•        What is security?
•        Threat and risk
•        Cyber security threat types – the CIA triad
•        Consequences of insecure software
• The OWASP Top Ten 2021
•        The OWASP Top 10 2021
•        A01 - Broken Access Control
•                Access control basics
•                Missing or improper authorization
•                Failure to restrict URL access
•                Lab – Failure to restrict URL access
•                Confused deputy
•                File upload
•                Open redirects and forwards
•                Cross-site Request Forgery (CSRF)
•        A02 - Cryptographic Failures
•                Information exposure
•                Cryptography for developers

Day 2

• A02 - Cryptographic Failures (continued)
•        Cryptography for developers
•        Certificates
•        Transport security
• A03 - Injection
•        Injection principles
•        Injection attacks
•        SQL injection
•        Code injection

Day 3

• A03 - Injection (continued)
•        Input validation
•        HTML injection - Cross-site scripting (XSS)
• A04 - Insecure Design
•        The STRIDE model of threats
•        Secure design principles of Saltzer and Schroeder
•        Client-side security

Day 4

• A05 - Security Misconfiguration
•        Configuration principles
•        Server misconfiguration
•        Python configuration best practices
•        Cookie security
•        XML entities
• A06 - Vulnerable and Outdated Components
•        Using vulnerable components
•        Assessing the environment
•        Hardening
•        Untrusted functionality import
•        Malicious packages in Python
•        Vulnerability management
• A07 - Identification and Authentication Failures
•        Authentication
•        Session management
•        Password management

Day 5

• A08 - Software and Data Integrity Failures
•        Integrity protection
•        Subresource integrity
• A09 - Security Logging and Monitoring Failures
•        Logging and monitoring principles
•        Insufficient logging
•        Case study – Plaintext passwords at Facebook
•        Log forging
•        Lab – Log forging
•        Log forging – best practices
•        Logging best practices
•        Monitoring best practices
•        Firewalls and Web Application Firewalls (WAF)
•        Intrusion detection and prevention
•        Case study – The Marriott Starwood data breach
• A10 - Server-side Request Forgery (SSRF)
•        Server-side Request Forgery (SSRF)
•        Case study – SSRF and the Capital One breach
• Web application security beyond the Top Ten
•        Code quality
•        Denial of service
• Security testing
•        Security testing techniques and tools
•                Code analysis
•                Dynamic analysis
•        Finding specific vulnerabilities
•                Cross-site scripting (XSS)
•        Password auditing
•                Using password cracking tools
•                Lab – Password audit with John the Ripper
•        Proxies and sniffing
•                Proxy servers and sniffers
•                Sniffing – tools and considerations
•                Lab – Using a proxy
• Wrap up
•        Secure coding principles
•        And now what?