ISSA-LA InfoSec Summit XI

Everything You Need To Know About Web, API and Mobile Secure Coding

Instructor: Jim Manico

Bio: 
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is an a investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the JavaOne Rock Stars and Java Champion community and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.

Description:
The major cause of web service, mobile and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application, mobile and web service developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web and mobile solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, Swift, Objective C, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and web services will benefit.

Student Requirements:
Familiarity with the technical details of building web applications, mobile and web services from a software engineering point of view.

Laptop Requirements:
Any laptop that can run an updated web browser and "Burp Community Edition".

Day 1 of the course will focus on web application basics.

- Introduction to Application Security
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- Content Security Policy
- Intro to Angular.JS Security
- Intro to React.JS Security
- SQL and other Injection
- Cross Site Request Forgery
- File Upload and File IO Security
- Deserialization Security
- Input Validation Basics
- OWASP Top Ten 2017
- OWASP ASVS

Day 2 of the course will focus on API secure coding, Identity and Mobile Security

- Web service, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth 2 Security
- OpenID Connect Security
- iOS Secure Coding
- Android Secure Coding
- 3rd Party Library Security Management
- Application Layer Intrusion Detection