Web Security Testing - Bespoke
Day 1: Secure SDLC & Secure Design
Architecture principles - defining organisation wide security requirements
-
Recommended technology stacks
-
Data exchange mechanisms
-
Authentication methods
-
Encryption requirements
-
Network segmentation
-
Patching strategy
SSDLC - overview of security controls
-
Planning
- Security requirements (PCI DSS, etc)
- Framework selection
-
Requirement & Design
- Threat modeling
- Architecture evaluation
- Risk mitigations
-
Implementation & Coding
- Secure coding practices
- SAST & SCA
- Code review
-
Testing
- DAST
- Fuzz testing
-
Deployment
- Penetration testing
- Configuration evaluation and monitoring
- Monitoring and logging
-
Maintenance
- Vulnerability management
- Patching
- Monitoring, anomaly detection
Hands-On
• Group threat modeling on a sample system
• Writing security requirements for a new feature
• Reviewing a design diagram for security flaws
Day 2: OWASP Top 10 & Web Application Security
-
Broken Access Control & Authentication Flaws
- Forced browsing
- JWT tampering
- Parameter tampering
- IDOR
-
Injection Flaws
- Command injections
- SQL Injections
- SSTI
- XSS
- Path Traversal
-
File upload vulnerabilities
-
Insecure Deserialisation
-
Security Misconfigurations
- CSRF
- XML External Entities
- HTTP headers recommendations
Hands-On
-
Use security testing tools to find vulnerabilities in a demo web app
-
Code review: find and fix XSS, SQLi, and authentication flaws in code snippets
-
Patch a vulnerable open-source component
Day 3: DevSecOps & CI/CD Security
-
Automated tests in CI/CD
- SCA
- SAST
- DAST
- Container scanning
-
Secrets management in CI/CD
- Secrets overview
- Risk associated with secrets leakage
- Common mistakes
- Best practices
- Tools and platforms
- Secrets monitoring and revocation
-
IaC security
- IaC security risks
- Common mistakes
- Best practices
Hands-On
-
Analysing reports from SCA, SAST and container scanning
- Triage and eliminating false positives
- Using dynamic scanner to eliminate false positives from SAST and SCA
Day 4: Advanced AppSec, API Security, Incident Response
-
API security: authentication, authorisation, rate limiting, input validation
-
Microservices security: service-to-service authentication, secure service mesh patterns
-
Security testing for APIs: fuzzing, automated API security tools
-
Incident response basics
- Detection and Identification
~ Detection sources: SIEMs, EDRs, logs, user reports
~ Indicators of compromise (IOCs)
-
Containment
- Network isolation, blocking IPs/domains, disabling accounts
-
Eradication
- Identifying root cause
- Removing threats
-
Recovery
- System reimagining, data restoration
- Ensuring clean state
- Monitoring for reinfection
-
Lessons learned
- Post incident reviews
- IR Playbooks
-
Designing for fault tolerance and rapid recovery
- DR vs HA
- Redundancy
~ Active/passive
~ Load balancing and failover
- Isolation & Segmentation
- Rapid recovery tactics
~ Snapshotting, canary release
~ Autoscaling
- Real-world design patterns
~ Netflix Chaos Monkey
~ Kubernetes
~ AWS multi-AZ and multi-region setups
Hands-On
-
Secure an insecure REST API: add authentication, fix access control, and sanitise inputs
-
Fuzz an API endpoint and analyse results
-
Simulate a security breach and walk through the incident response process
-
Implement logging and monitoring for an app, then detect a simulated attack