Trainings

Our trainings and workshops are based on > 13 years of experience in training developers in security practices and awareness.

Web Security Awareness & Secure Coding (Hands-On)

Our Web Security training focuses on general security problems (attacks and vulnerabilities) and relevant best practices for web-based applications and services (APIs). Our goal is to help developers to understand archive a strong understanding of the most important security aspects. We archive this with many demos and hands-on trainings (especially via OWASP Juice Shop).

Our flexible training offering aims to qualify developers in respect of understanding common threats for Web applications & services as well as suitable measures to prevent them.

  • Module 1: Introdution to Web and Application Security
    • Introduction into topic and aproaches of hackers
    • Background of insecure web applications and services
    • Relevant standards and projects (e.g. OWASP Top Ten, SANS 25)
  • Module 2: Hardening of Data Validation
    • Relevant attacks and vulnerabilities in web-based applications (e.g. manipulation of business logic, Cross-Site Scripting (XSS), Interpreter Injection (SQL, HQL, NoSQL), insecure deserialization, etc.)
    • Countermeasures and best practices (inkl. secure design principles)
  • Module 3: Security Header
    • Security Header (e.g. Content Security Policy (CSP))
  • Module 4: Secure User Management
    • Common attacks and vulnerabilities in this area (brute forcing, session hijacking, Cross-Site Request Forgery (CSRF))
    • Counteremeasures and best practices (authentication, anti-automation and user registration)
  • Module 5: Hardening of Access Controls
    • Common attacks and vulnerabilities in this area (Privilege Escalation)
    • Counteremeasures and best practicess
  • Module 6: Cryptography for Developers
    • Hardening of SSL/TLS stack
    • Security APIs
    • Secure handling of secrets
  • Module 7: API Security
    • Common pitfalls and vulnerabilities in this area including CORS, JWT and OAuth/OpenID
  • Module 8: Security Testing
    • Tools and techniques for self-tests and integration into build (CI/CD toolchain)
  • Module 9: Threat Modeling for Developers
    • Practical us of threat modelling techniques to identify security weaknesses in software design (focus will be on STRIDE methodology)

This training is based on modules that allow us to customize it to your needs. We can offer you both, a one-day awareness training with a lot of hands-on for the participants as well as a two-day in-depth secure coding training for developers that covers specific security aspects of selected programming languages and frameworks such as Java EE, Spring, JSF, Angular, or Node.js.

Besides various demos and code examples, the participants will be able to exploit common Web attacks on their own against our training application. The number of such hands-on exercises can be defined by the customer.

Duration: 1 day (awareness training) 2 days (awareness & secure coding training)

Agile Security & DevSecOps

This workshop/training focuses on members of agile development projects (e.g. Product Owners, Scrum Master, developers, tester, and of course security professionals) that are interested in how to best be secure and agile.

Topics are:

  • Basics of Web & Agile Security
  • Agile Security Testing (security test automation, pentests, etc.)
  • Security in Scrum projects
  • Security requirements in agile projects (e.g. security user stories, evil user stories)
  • Security and Continuous Delivery / Deployment (DevSecOps)

Duration: 4 hours

Tool-based Security Assessments

In this workshop/training, we qualify participants in executing tool-based security assessments of applications.

Contents:

  • Basics of web security
  • Basics of application security test automation
  • Security and dynamic code scanner (SAST, IAST)
  • Web security scanner (DAST)
  • Software Composition Analysis (SCA)
  • Critical discussion of existing approaches and tools, both in OSS and commercial enterprise sector
  • Integration of security test in build piplines (e.g. with Jenkins)
  • Tools and their limits
  • Security testing metrics and reporting

Duration: 3-4 hours

Threat Modellng

In this workshop/training, participants will learn how they can use threat modeling to identify security threats in the requirements, design, or architecture of an application.

Contents:

  • General background and goals
  • Different variants, methodologies (e.g. OWASP and STRIDE) and tools (e.g. MS Threat Modeling Tool)
  • Generic threat modelling methodology that is based on our practical experience from many years of applying threat modelling
  • Detailed threat modeling approach with STRIDE
  • Other methods for threat identification, e.g. threat mapping and abuse cases
  • Agile Threat Modelling
  • Techniques for threat rating (e.g. DREAD, CVSS/CWSS, risks)
  • Hands-on exercise(es) with the participants, ideally based on an existing customer project

Duration: 4-8 hours