Öppna kurser

Web Security for Developers

The web is a great software delivery platform, making your software available to users around the world with zero installation and easily deployed updates. Unfortunately, it also exposes you to an army of adversaries - some human, some bot - who have darker goals: to cause loss to your data or reputation, subvert your resources for their own gain or attack your user base.

The challenges of making a secure website are very big today. Today's developers do not always know the security aspects of secure development. The problem is also to keep up with the rapid development. More security holes also arise with the trend that we are adding more and more functionality to browsers.

The business risks and costs once an intrusion occurs are very large, and we developers have the responsibility to plan ahead and prevent this. Therefore, it is important that we have a good foundation to stand on when it comes to safety and risks. 

Life on the Internet is not so harmonious. Unfortunately, you are exposed around the clock to an army of enemies, some people, some robots, with darker targets. Can be to either cause loss of information or reputation, use your resources for personal gain or attack your user base.

Målgrupp
This course is aimed at web developers.

Förkunskaper
You should have basic web development experience.

Kursinnehåll
Introduction

  • The reality
  • What might an attacker want?
  • Social Engineering

HTTPS

  • What's wrong with HTTP?
  • Man-in-the-middle attacks
  • HTTP Strict Transport Security header

Certificates

  • Certificate failures
  • Certificate pinning
  • Lifetime
  • Lets Encrypt

Encoding

  • Character encoding
  • Unicode
  • Encoding (UTF-8, UTF-16...)

Cross Site Scripting

  • Stored XSS
  • Reflected XSS
  • DOM Based XSS
  • XSS Preventions

Content Security Policy

  • Headers and directives
  • CSP Reporting
  • CSP Nonce
  • CSP Validation

Cross site request forgery (CSRF)

  • CSRF Attack
  • CSRF Prevention

Securing your cookies

  • Cookie security
  • Same-site cookies

CORS

  • Origins
  • Same-Origin Policy
  • Cross-Origin Resource Sharing

Injections

  • SQL Injections
  • Blind injection attacks
  • File path injections

Authentication & Authorization

  • Securing the login-form
  • Securing the session
  • Multi factor authentication

Denial-of-Service (DoS) attacks

  • Network attacks
  • Application level attacks
  • XML DoS attacks
  • Decompression bombs

Password management

  • Secure password storage
  • Hashing
  • Salt and pepper
  • Password spraying

Information leakage

  • Error handling
  • Source control leaks
  • Response header leakage
  • Search engine leakage

Securing our dependencies

  • Supply-chain attacks
  • Subresource Integrity

Hack yourself

  • Hack your own systems
  • Tools
  • Approach