Introduction to Secure Programming

מק"ט: #7560 | משך קורס: 40 שעות אק'
| מספר מפגשים: 5

The Course will present security Guidelines, consideration and techniques for developing secure application, alongside explanations and demonstration of application specific attacks in different application platforms, The participant will learn and understand the different application security threat, and the right technique for mitigating each possible threat,
The course is not focused on a specific development or deployment environment, and all principles and concept demonstrated throughout the course are relevant to all applications. The course will detail certain risks and mitigations that are relevant for specific platforms (low level languages, WEB, SOAP).
The training includes demonstrations of web security threats using simulated web application and allows understanding of the problems through live demonstration and exercises.

*שדות חובה
PDF version

קהל היעד

  • Developers and team leaders who wish to improve their security skills and awareness.
  • System architects wishing to be able to assist the developers in creating a secure application
  • Application Security personnel who wish to be able to guide developers and recommend the right way of dealing with application security flaws discovered in the organization.

תנאי קדם

  • At least 6 mounts of experience in developing applications using and modern programming language) C/C++/ASP3 / ASP.NET / C# / VB.NET / JAVA / JSP / Servlets / PHP etc.)
  • Recommended: Familiarity with the HTTP protocol
  • Recommended: Familiarity with HTML
  • Recommended: Familiarity with the SQL Language



  • Basic Security Concepts
  • What are Application Threats (C-S / Web / SOAP)
  • Application Hacking Methodologies.
  • Logical and Technical Flaws.

Common Web Application Threats

  • Information Gathering & Disclosure.
  • Source Disclosure.
  • Forceful Browsing / Forceful Access.
  • Brute Forcing
  • Buffer Overflow
  • Directory Traversal
  • Denial of Service
  • Session Hijacking
  • Cookie Poisoning
  • Cross Site Scripting & Scripts Injection
  • Flow bypassing
  • Parameter  tampering and field- manipulation
  • SQL injection
  • X-Path Injection
  • LDAP Injection
  • CSRF


Secure Development Principles

  • Induration
  • Input Validation
  • Output sanitation
  • Controlled Fall Down
  • Keep It Simple (KIS)
  • Security in Layer
  • The Weakest Link
  • Security by Obscurity
  • Authorization
  • Information Leakage
  • Using Secure Components


Exercise: Discovering Security Vulnerabilities.


Web vs. Client Server

  • Development, Risk & Mitigation in different environments.


Handling Client Controlled Data

  • HTTP Protocol Overview
  • GET/POST Requests
  • Query String and Body Parameters
  • Managing and Securing Cookies
  • HTTP Headers


HTML Related Security Issues

  • HTML Overview
  • Hidden/limits Fields
  • Client Side Comment
  • Auto Complete Functions
  • Data Caching
  • HTML scripts and Scripts Abuse

Input Validation and Output Sanitation

  • Input Validation Methods
    • Positive Approach vs. Negative Approach
    • Logical IF
    • Regular Expression (Demonstrated in Java / .NET / ASP3)
  • Output Sanitation
    • Writhing HTML Encoders (Demonstrated in Java / .NET / ASP3)


Errors and Exceptions Handling

  • Expectation Handling Overview
  • Log Writing
  • Error Massages
  • Handling Errors in the Web  / Application Server Layer


Event Logging

  • Application Logs Overview
  • What should and should not be logged?
  • Alerts an Monitoring


Exercise: Writing Secure Code.


Working With Databases

  • Secure Database Access Overview
  • User Access Rights
  • Storing Sensitive Data
  • Using Secure DB access Methods (Escaping) and Stored Procedures (Demonstrated in Java /.NET / ASP3)


Information Disclosure Preventing

  • Information Disclosure in the Application
  • Protecting the Source Code from Disclosure Demonstrated in Java /.NET / ASP3)


User Authentication & Authorization

  • User Authentication Mechanisms
    • HTTP Authentication (Basic / Digest / OS Based   - demonstrated in Java / .NET / ASP3)
    • Forms Based Authorization
    • SSL Based Authorization
  • Proper Session Usage
  • Users and Password Policies
  • Single Sign On Mechanisms
  • Managing User Authorization
  • Minimum Privilege Principle
  • Role Based Authorization
  • Resource Access Privileges
  • Code Access Authorization (and extension relevant to Java and .NET)
  • Exercise: Writing Secure Code.



  • Cryptography Overview (Basics)
  • Cryptography Uses (Communication, Secure Storage, Authentication, PKI)
  • Standard Cryptography Implementations –AES/3DES, SSL, TLS, PGP, etc.)


Web Services Security

  • WS Overview
  • SOAP Overview
  • WS Threats & Countermeasures
  • Security in SOA Environments
  • WS Security Standard Description
  • End2End vs. Peer2Per


Secure Application Design

  • In-Depth Threat Modeling
  • Step by Step Methodology for Designing Secure Application
  • Security Mechanism Overview.


Exercise: My First Secure Design – Designing Secure Applications


Secure Design Patterns

  • SSO Implementations
  • Secure Development Models: Dispatched & Factory
  • Secure in Layers.


Advanced Security Mechanisms

  • Filters
  • Advanced Authentication: NTLM, Kerberos, Physical Means Interaction
  • Anti-CSRF Mechanisms


Summarizing Exercise