VulnCon Logo
Conference
Training
CTF
☰
vulncon
Aseem Shrey
Founder, SecureMyOrg
vulncon
Harish Ramadoss
Staff Engineer - Product Security, Rippling

Name of Traning:

Modern Approach to Secure Design and API Security

A full description of the training:

While there are a vast array of training and courses that delve into system attacks from an offensive angle, few delve deeply into the mechanics of building secure systems

In this course, we cover the basics of building secure systems/API’s and then dive deep into the nuances of different systems and their unique security requirements. We will explore everything from building an end-to-end encryption chat system, designing secure file upload processing platform to creating a TV-based login.

This course is beneficial for security and software engineers, as it encourages consideration of security patterns while building scalable systems.

KEY TAKEAWAYS:

  • Assess and secure apps built with Modern Tech stack
  • Helps you threat model or perform design review of new features from a security perspective
  • This training is good for penetration testers who are trying to move into a product security role
  • Software engineers who want to get a better understanding of security risks and build secure systems

Outline of the Class

Day 1:

Building blocks and API Security:

  • Understand Modern Web Architecture
  • Traditional vs. Modern Applications
  • Microservices
  • Authentication - Building it the right way
    • Securing a Login Flow
      • TOTP and its weaknesses
      • Problems with Two Factor Authentication
      • Building a Phishing resistant authentication system - WebAuthn
      • What to use when MFA isn’t an option. e.g. building authentication for rental e-bikes
      • Attack protection capabilities
    • Understanding different OAuth Flows
    • Appropriate OAuth 2.0 Flow Usage
      • SPA
      • Mobile
    • Known attacks and issues with OAuth
    • JWT's in depth
  • Microservice Security
    • User-level Security (North to South traffic)
    • Service-level security (East to West traffic)
    • Service Mesh
  • GraphQL Security
    • Intro to GraphQL
    • GraphQL VS REST
    • Main Concepts - Queries, Mutation
    • GraphQL Threat Model
      • Batching Attacks
      • Resource Intensive Query Attack
      • Deep Recursion Query Attack
      • Exploiting N+1 problems
      • Field Duplication Attack
      • Aliases based Attack

Day 2:

Designing Secure Systems:

After doing hands-on exploiting some of the labs, we will see how to design secure systems. We will discuss design and architecture of real-world systems, focusing on security, user experience, and privacy

  1. Designing a password-less authentication platform
  2. Image Processing Service with SSRF by design - How to design your backend so engineers do not need to worry about the vulnerability
  3. Cloud-based document management - Using sandboxing as defense in depth technique
  4. Designing a robust and secure Password Manager
  5. Designing an End to End Encrypted chat platform such as Whatsapp
  6. Designing a Smart Thermostat - Secure Over-the-Air (OTA) Updates, AuthN/Z etc
  7. Designing a secure authentication for TV based app such as Netflix

WHAT TO BRING?

  • A laptop with at least 8 GB RAM.

PREREQUISITE

Basic understanding of security and how modern web applications work

WHO SHOULD ATTEND?

  1. Security Engineers - Improves their threat modelling.
  2. Penetration Testers - Increase their chance of finding bugs.
  3. Software Engineers - Build even more secure systems.

WHAT TO EXPECT?

You can expect to gain hands-on experience in designing and building secure APIs for modern web applications during this training. Experienced instructors will deliver the training with years of practical experience in designing secure web applications, threat modelling complex web applications being used by millions of users on a daily basis.

You can also expect to network and collaborate with other participants in the training and the instructors, who will be available to provide guidance and answer any questions.

By the end of the training, you will have a solid understanding of designing secure APIs and be equipped with the knowledge and skills needed to develop complex and secure web application security systems

WHAT ATTENDEES WILL GET

Participants will be provided a web application setup to practice different training techniques.

Additionally, technical support will be extended during and after the training class.

WHAT NOT TO EXPECT

  • How to build a web application.
  • 0 days or exploit development knowledge.
  • Bypasses on commercial security products

Trainer

vulncon
Aseem Shrey
Founder, SecureMyOrg

Aseem Shrey is the founder of SecureMyOrg, a boutique cybersecurity firm specialising in building security from scratch at startups and assisting them with security requirements. He has previously worked as a Security Engineer at Yahoo, Rippling, a fast-growing US Startup, where he developed cost-optimised security automation running at scale. He is focused on finding and optimising shift-left approaches and defence-in-depth strategies. He also teaches CyberSecurity @HackingSimplified and blogs about some of his security findings on his website, aseemshrey.in. He’s acknowledged for securing the government of India’s Digilocker and various MNCs. His keen interest lies in web app exploitation especially logical bugs and reverse engineering. A CTF player with NULLKrypt3rs.

vulncon
Harish Ramadoss
Staff Engineer - Product Security, Rippling

Harish currently leads product security initiatives for Rippling’s IDP and MDM platform. With over a decade of experience in application security, he brings a breadth of knowledge from a variety of industry sectors. He is also the co-founder of DejaVu, an open-source deception platform. In the past, he has presented at Blackhat, Defcon, HITB, and a few other conferences.