This is presented as a two-day in-house course for web application development teams and is preceded by the development of some bespoke material based on your own sites. It is aimed at application developers and technical managers and concentrates on how to design & code secure Internet applications.

The course draws on the presenters' experience of stereotypical errors uncovered in the course of testing many web based applications. The aim of the course is to help developers 'think security' while developing applications, and is particularly useful as an immediate follow on after an application audit.

Entertaining and useful practical sessions are a key part of the course. These include an attack on your own site and a "Treasure Hunt" whereby participants attempt to uncover vulnerabilities in applications hosted on the presenter's machine.

The course covers the following topics:

• Why Web-based Applications are Insecure
• Problems of Session Management
• Getting to know your enemy
• Reconnaissance (using your own web presence as an example)
• Testing the Perimeter Defences
• Soft/Non-technical Security Risks
• Defensive Design and Coding

The course includes practical sessions where students can attempt finding vulnerabilities in applications, and identify ways in which the problems could be fixed or avoided. A more detailed agenda is set out below.

Netcraft

• Netcraft Services, Customers & Partners
• Netcraft Internet Metrics

Web-based Applications

• What is a Web-based Application?
• Why is it so difficult to develop secure web-based applications?
• Management
• Education
• Technology
• Trust
• Anonymity and Accountability
• Publicity
• Third Party Code
• Typical eCommerce Security
• Summary

Session Management

• Session Start
• Session Management Strategies
• Cookies
• URL Rewriting
• Hidden Form Data
• Web Server Authentication
• Session Termination
• Web Browsers
• Controlling the Client
• Summary

Coloured Hats

• Who are the Hackers?
• Common Vulnerabilities
• System & Network Configuration
• Software Configuration
• Avoiding the Problems
• Current Activities
• Summary

Hack a Web-based Application (Guidelines for Testers; based on clients live service)

Preparing the Ground

• Whois
• traceroute
• nmap
• What's that Site Running?.
• Other Sources of Information

Testing the Perimeter Defences

• Finding a Way In
• Testing for Available Services
• Do Your Research
• Using Your Imagination
• Direct Navigation
• Data Entry Forms
• SCRIPT Comments, Other Client Data
• Predictability
• Breaking Down the Barricades
• Staying One Step Ahead
• Summary
• Other Security Risks

Defensive Design and Coding

• Project Management
• Application Design
• Defensive Coding
• Testing
• Summary

Suggested Reading

• Deployment and Development Guidelines
• Security-related Web Sites, News Groups, Mailing Lists

Glossary

Please contact us sales@netcraft.com for further information and costs.