ΠΕΡΙΓΡΑΦΗ

Cybersecurity is vital for organisations. It educates participants on common vulnerabilities, their impact, and effective mitigation strategies. Through this training, developers gain valuable insights into vulnerability management and hands-on experience with exploitation techniques.

The overall goal of the webinar is to empower developers to effectively address and mitigate well-known vulnerabilities throughout the development lifecycle of web applications and Application Programming Interfaces (APIs).

Existing and new systems, applications, and services must prioritise security best practices during design, implementation and development. By addressing commonly identified vulnerabilities, developers can mitigate risks and enhance security throughout the product lifecycle. This builds customer trust, drives financial growth, and promotes a strong cybersecurity culture.  

ΣΚΟΠΟΣ ΣΕΜΙΝΑΡΙΟΥ

By the end of the training, participants will be able to:

• Describe well known vulnerabilities that may affect organisation products.
• Correlate a vulnerability with the corresponding impact and risk it may pose to the organisation.
• Classify vulnerabilities to the OWASP Top 10 categories and state why mitigation actions may be necessary based on their severity.
• Adopt cyber security best practices during the development life cycle of organisation products.
• Explain why secure development is necessary for web applications, APIs and more.
• Identify potential risks affecting, among others, web applications and APIs; describe solutions that may be applied to mitigate these risks.
• Cooperate with stakeholders to promote secure development initiatives and integrate them into the development lifecycle of web applications, APIs, and other products.
• Challenge current processes within their company to be replaced and reengineered based on security best practices.

ΣΕ ΠΟΙΟΥΣ ΑΠΕΥΘΥΝΕΤΑΙ

This training is addressed to software developers (front-end, back-end, full-stack) who develop web applications and APIs and perform coding in their day-to-day operations. The participants must have software development background and be familiar with concepts such as authentication and authorisation, session management, and web server, database and web application as well as APIs configuration.

ΠΕΡΙΣΣΟΤΕΡΕΣ ΠΛΗΡΟΦΟΡΙΕΣ

Agenda

1. Introduction (30 mins)

• Threat Actors
• Goals and Objectives
• OWASP Top 10 categories

2. Authentication Vulnerabilities, Practical Examples & Mitigation Strategies (1 hr & 30 mins)

• Username Enumeration
• Lack of Lock-out Functionality
• Weak Password Policy (Server-side)
• Inconsistent Password Policy
• Misconfiguration on “Forgot Password” functionality
• Utilisation of Unencrypted Communication Channels

3. Session Management Vulnerabilities, Practical Examples & Mitigation Strategies (1 hr)

• Lack of Session Invalidation
• Session Token in URLs
• Session Fixation
• Cross-Site Request Forgery Attacks

4. Input Validation Vulnerabilities, Practical Examples & Mitigation Strategies (1 hr and 30 mins)

• SQL Injection Attacks (Error-based and Blind SQL injection attacks)
• Open Redirection
• Cross-Site Scripting Attacks (Reflected, DOM-based, Stored)
• Operating System, Command Injection
• XML External Entity, Injection Attacks
• Deserialization Attacks (Jenkins deserialisation)

5. Authorisation Vulnerabilities, Practical Examples & Mitigation Strategies (30 mins)

• Access Control Attacks
• Insecure Direct Object Reference Attacks
• Authorisation Bypass Attacks

6. Business Logic Vulnerabilities, Practical Examples & Mitigation Strategies (30 mins)

• Arbitrary File Upload Attacks
• Insecure Implementation of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) – Replay Attacks
• Application Implementation Flaws leading to workflow circumvention

7. Configuration Weaknesses, Practical Examples & Mitigation Strategies (30 mins)

• Web Server misconfigurations
• Database misconfigurations
• Web Application misconfigurations

8. Application Programming Interface  Vulnerabilities, Practical Examples & Mitigation Strategies (1 hr & 30 mins)

• Presentation of the OWASP API Top 10 vulnerabilities with practical examples
• Broken Object Level Authorisation attacks
• Broken User Authentication attacks
• Excessive Data Exposure attacks
• Lack of Resources & Rate Limiting attacks
• Broken Function Level Authorisation attacks
• Mass Assignment attacks
• Security Misconfigurations
• Injection attacks
• Improper Assets Management
• Insufficient Logging & Monitoring

9. Conclusion (30mins)

• Why should security be adopted in the Secure Development Life Cycle and how can an Organisation start the adoption?
• SecDevOps.

Trainer

Andreas Costi
Cybersecurity Specialist, Management Consulting, KPMG in Cyprus

Andreas has over two years of experience in Cyber Security, specialising in Penetration Testing and Vulnerability Assessment. His main areas of focus are penetration tests of external and internal infrastructure (including SWIFT systems), web and mobile applications, and cloud infrastructure penetration testing, as well as the design and execution of social engineering assessments (phishing, vishing, and physical access attacks), for local and international clients in the Banking, Financial, Payments, and Oil and Gas industries. Further areas of interest include binary and malware analysis as well as hardware security.

Over the years, Andreas participated in web and mobile applications penetration tests, and internal and external penetration tests of large Banking, Financial and Government organisations in Cyprus and abroad. In addition, he has participated in penetration tests, device security assessments, and cloud configuration reviews of important international and local clients. He has been involved in designing and performing attack scenarios, as part of Attack Path Mapping exercises and has further been actively involved in attack simulation assessments, both in the setup of infrastructure required, and in the preparation and execution of the attack scenarios (e.g.  following frameworks such as MITRE ATT&CK and TIBER-EU).

Andreas has also helped in the development of trainings related to the security assessment of AWS and Azure cloud environments, and has developed and delivered web and mobile applications, and API security workshops for software developers, covering the OWASP top ten vulnerabilities, for local and international clients.