● Information Security Fundamental ● Confidentiality ● Integrity ● Availability ● General Security Components ● Authentication ● Authorization ● Accountability/Auditing ● Non-repudiation
12.00-13.00
รับประทานอาหารกลางวัน
13.00-14.30
● Why do you need application security? ● Principles and concepts (Including OWASP) ● Security by Design ● Threat Modelling ● Do Programming Languages Matter? ● Application Security Myths ● Top 25 Most Dangerous Software Errors
Introduction to Web Application Security ● Vulnerability Stack ● Defense in depth Using a Web Proxy ● Example: Burp Proxy ● man-in-the-middle ● Proxy Configuration ● Intercept & Scope Configuration ● HTTP, HTTPS ● Manual browser configuration ● Browser addon ● Using The Spider & Discover ● Using The Repeater Tab ● Using The Intruder Tab ● Text Specific Searching
Using a Hacking Tools ● Example: Kali Linux ● Commands to help you navigate any Linux system ● Add/remove software and update/upgrade your system ● Archive and compress files and folders ● Use wildcards to make daily tasks easier ● Editing files ● Configuring and managing services ● Managing users, groups and permissions ● Chaining multiple commands for greater effect
10.30-10.45
อาหารว่าง
10.45-12.00
SDLC vs. SSDLC Secure Design Principles ● Least Privilege ● Separation of Duties ● Minimize Attack Surface ● Defense In Depth ● Fail Secure
12.00-13.00
รับประทานอาหารกลางวัน
13.00-14.30
Risk Management ● Vulnerability, ● Threat, ● Control Threat Modeling ● Attack Tree ● Use Case
14.30-14.45
อาหารว่าง
14.45-17.00
Web Application Risks (OWASP Top 10) ● OWASP Testing Guide ● The OWASP Testing Framework ● Black Box Testing Tools ● Basic HTTP Protocol ● Web Components ● HTTP Request & Response ● HTTP Method ● URL Encode ● User Agent ● Session & Cookie ● X-Forwarded-For ● Header Security ● Cache Control ● HSTS ● X-XSS-Protection ● X-Content-Type-Options ● MIME Type ● X-FRAME-OPTIONS ● UI Redressing ● Iframe busing
วันที่ 3
เวลา
เนื้อหา
9.00-10.30
How to secure PHP application (cont’d) Authentication ● Captcha ● Random token ● Password strength test Session management ● Session Fixation ● Multiple session ● HTTP Only ● Secure Flag Access control ● Basic ● Digest ● Client Certificate ● Form-based ● IWA