Parler Haut, Interagir Librement

PHP Application Security

Duration:

5 days

Price:

CA$2,200.00/CA$1,800.00

Session:

Montreal (Quebec) - 2011-01-24 to 2011-01-28

French - CA$2,200.00/CA$1,800.00
TBA

Montreal (Quebec) - 2011-02-21 to 2011-02-25

English - CA$2,200.00/CA$1,800.00
TBA

On request

Just ask for availability.

Description:

This training, led by an expert in application security, distributed over five (5) days, helps students become familiar with the principles and best security practices on the development and testing of web applications made in PHP. This training is designed to provide an overview of application security for web programmer. This course covers all major types of vulnerabilities, penetration testing, security aspects related to the design and application development as well as the integration of security within the development cycle of an organization.

Five reasons to participate

Main security traps
Learn about the best practices to prevent the introduction of vulnerabilities and learn how to identify common and important mistakes.
Pragmatic
Lecture and Training. Make your exercises, analysis and testing in a real web environment.
Save time and money
Avoid losses due to vulnerabilities and patches subsequent of development.
Proven methodology and expertise
Our training follows all the principles of the methodology Open Web Application Security Project (OWASP) and several additions to PHP from the experience of many security experts and PHP.
Exclusive offer
Attend a proven training, given by an internationally recognized expert in PHP applications security.

Public:

  • Developer
  • Webmaster
  • Web Project Manager
  • Technology Architect
  • Security Advisor

Prealable:

Basic knowledge of PHP

Method:

Lectures with demonstrations and hands-on labs

Contenu:

Introduction

  • Web Application Security
  • Threats and Risks
  • Application Security vs. Network Security
  • Limitations of Firewalls and SSL encryption

Organizations and Standards

  • Introducing OWASP (Open Web Application Security Project)
    • What is OWASP?
    • Role and Mission of the Organization
    • Key Tools and Documents
  • SANS (SysAdmin Audit Network Security)
    • Role and Mission of the Organization
    • Key Tools and Documents
  • NIST (National Institute of Standards and Technology)
    • Role and Mission of the Organization
    • Key Tools and Documents
  • CIS (Center for Internet Security)
    • Role and Mission of the Organization
    • Key Tools and Documents
  • PCI-DSS and Application Security
    • Presentation of the Standard
    • Requirements on the Application Security
  • ISO 27000
    • Presentation of the Standards
      • ISO 27001
      • ISO 27002 - ISO-17799
      • IS0 27005

Types of Security Vulnerabilities

  • Design Flaws
  • Implementation Flaws
  • Operational Faults

Security in the Development Lifecycle (SDLC)

  • Different Phases of SDLC
  • Security Integration within the Development Cycle

Tisks, Vulnerabilities and Attacks

  • OWASP Top 10 (2010 version)
    • A1: Injection
      • (SQL, XML, LDAP, etc.)
    • A2: Cross-Site Scripting (XSS)
    • A3: Broken Authentication and Session Management
    • A4: Insecure Direct Object References
    • A5: Cross-Site Request Forgery (CSRF)
    • A6: Security Misconfiguration
    • A7: Insecure Cryptographic Storage
    • A8: Failure to Restrict URL Access
    • A9: Insufficient Transport Layer Protection
    • A10: Unvalidated Redirects and Forwards
  • Others Majors Attacks
    • Malicious File Execution
    • Information Leakage and Improper Error Handling
  • PHP Specific Attacks

Security Program

  • security principles
    • Reducing the Attack Surface
    • Default Security
    • "Least Privilege" Principle
    • "Defense in Depth" Principle
    • Fail Securely
    • No implicit Trust
    • Separation of roles
    • Skip "Security by Obscurity"
    • Keep security simple
    • Correct Safety Deficiencies Correctly
  • Web Application Firewall (WAF)
    • Principles and General Running
    • WAF Positioning of an Overall Strategy
    • Commercial Tools and Free Software
  • Security in PHP
    • Installing and Configuring PHP
    • Error Handling
    • Data Validation
    • Output Protection
    • Others Protection
  • Using Application Frameworks
    • Simple Solutions for Security
    • Lithium
    • Solar
    • Symfony
    • Zend Framework

Data Security

  • Databases
  • Cryptography
    • Introduction to Cryptography
      • Symmetric Encryption
      • Asymmetric Encryption
    • Encryption and Decryption
    • Encryption Functions
    • Management Tool
    • Hash Function
    • Digital Signature
    • Authentication
  • Access Control: Authentication and Authorization
    • Authentication
      • Introduction to Authentication
      • Identifications Factors
    • Authorization
      • Introduction of Authorization
      • Roles
        • Separation of Roles
        • Principle of "Least Privilege"

Check the Software: Code Review and Penetration Testing

  • The Importance of Security Assessments
  • Position in the SDLC
  • Testing Methodology
  • Manual Approach vs. Automated Approach
  • Presentation Tools Available