Name of Traning:
Modern Approach to Secure Design and API Security
A full description of the training:
While there are a vast array of training and courses that delve into system attacks from an offensive angle, few delve deeply into the mechanics of building secure systems
In this course, we cover the basics of building secure systems/API’s and then dive deep into the nuances of different systems and their unique security requirements. We will explore everything from building an end-to-end encryption chat system, designing secure file upload processing platform to creating a TV-based login.
This course is beneficial for security and software engineers, as it encourages consideration of security patterns while building scalable systems.
KEY TAKEAWAYS:
- Assess and secure apps built with Modern Tech stack
- Helps you threat model or perform design review of new features from a security perspective
- This training is good for penetration testers who are trying to move into a product security role
- Software engineers who want to get a better understanding of security risks and build secure systems
Outline of the Class
Day 1:
Building blocks and API Security:
- Understand Modern Web Architecture
- Traditional vs. Modern Applications
- Microservices
- Authentication - Building it the right way
- Securing a Login Flow
- TOTP and its weaknesses
- Problems with Two Factor Authentication
- Building a Phishing resistant authentication system - WebAuthn
- What to use when MFA isn’t an option. e.g. building authentication for rental e-bikes
- Attack protection capabilities
- Understanding different OAuth Flows
- Appropriate OAuth 2.0 Flow Usage
- SPA
- Mobile
- Known attacks and issues with OAuth
- JWT's in depth
- Securing a Login Flow
- Microservice Security
- User-level Security (North to South traffic)
- Service-level security (East to West traffic)
- Service Mesh
- GraphQL Security
- Intro to GraphQL
- GraphQL VS REST
- Main Concepts - Queries, Mutation
- GraphQL Threat Model
- Batching Attacks
- Resource Intensive Query Attack
- Deep Recursion Query Attack
- Exploiting N+1 problems
- Field Duplication Attack
- Aliases based Attack
Day 2:
Designing Secure Systems:
After doing hands-on exploiting some of the labs, we will see how to design secure systems. We will discuss design and architecture of real-world systems, focusing on security, user experience, and privacy
- Designing a password-less authentication platform
- Image Processing Service with SSRF by design - How to design your backend so engineers do not need to worry about the vulnerability
- Cloud-based document management - Using sandboxing as defense in depth technique
- Designing a robust and secure Password Manager
- Designing an End to End Encrypted chat platform such as Whatsapp
- Designing a Smart Thermostat - Secure Over-the-Air (OTA) Updates, AuthN/Z etc
- Designing a secure authentication for TV based app such as Netflix
WHAT TO BRING?
- A laptop with at least 8 GB RAM.
PREREQUISITE
Basic understanding of security and how modern web applications work
WHO SHOULD ATTEND?
- Security Engineers - Improves their threat modelling.
- Penetration Testers - Increase their chance of finding bugs.
- Software Engineers - Build even more secure systems.
WHAT TO EXPECT?
You can expect to gain hands-on experience in designing and building secure APIs for modern web applications during this training. Experienced instructors will deliver the training with years of practical experience in designing secure web applications, threat modelling complex web applications being used by millions of users on a daily basis.
You can also expect to network and collaborate with other participants in the training and the instructors, who will be available to provide guidance and answer any questions.
By the end of the training, you will have a solid understanding of designing secure APIs and be equipped with the knowledge and skills needed to develop complex and secure web application security systems
WHAT ATTENDEES WILL GET
Participants will be provided a web application setup to practice different training techniques.
Additionally, technical support will be extended during and after the training class.
WHAT NOT TO EXPECT
- How to build a web application.
- 0 days or exploit development knowledge.
- Bypasses on commercial security products