O'Reilly logo
live online training icon Live Online training

Writing Secure Programs: Use OWASP As Your Guide

Use OWASP As Your Guide

Ric Messier

Some popular programming languages today are considered managed, meaning the language itself takes care of memory and several other concerns that could lead to vulnerabilities. This does not mean, however, that programs written in that language are free of vulnerabilities. There are a number of practices that programmers may use that can lead to program vulnerabilities that may be exploited. This training will focus on some of the common vulnerabilities that are found in applications and how to write programs that avoid some of those mistakes using OWASP (Open Web Application Security Project) as your guide.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand:

  • The OWASP Top 10 Vulnerabilities
  • How to remove vulnerabilities in your programming practices
  • How to test your programs for vulnerabilities

And you’ll be able to:

  • Identify programming practices that may lead to vulnerabilities
  • Explain the top 10 vulnerabilities
  • Remediate identified vulnerabilities

This training course is for you because...

  • You’re a programmer/developer
  • You work with Java, .NET, C or other similar languages
  • You want to become security-oriented programmer

Prerequisites

  • You must have experience working in a programming language like Java, C#, C, C++, Python or other similar languages

Recommended follow-up:

About your instructor

  • Ric Messier is an author, consultant, and educator who holds GCIH, GSEC, CEH, and CISSP certifications, and has published several books on information security and digital forensics. With decades of experience in information technology and information security, Ric has held the varied roles of programmer, system administrator, network engineer, security engineering manager, VoIP engineer, consultant, and professor. He is currently a Senior Information Security Consultant with FireEye Mandiant.

Schedule

The timeframes are only estimates and may vary according to how the class is progressing

OWASP Top 10 (10 minutes)

  • Presentation: OWASP tracks common programming practices that lead to security vulnerabilities. This will be a quick overview on the top 10 vulnerabilities and the programming practices that lead to them.
  • Discussion

Input Validation (30 minutes)

  • Presentation: Many vulnerabilities are ultimately a result of taking input from a user without properly ensuring it doesn’t contain unexpected values. This section will talk about practices for doing input validation.
  • Exercise: Practice programming input validation techniques.
  • Discussion
  • Q&A

Access Control (30 minutes)

  • Presentation: Access control is about authenticating users and then making sure they have the ability to get to the resources they need to get access to, and only those resources. This module will cover the basics of permissions and authentication since it’s a top item in the OWASP top 10.
  • Exercise
  • Q&A
  • Break (5 minutes)

Serialization/Deserialization (25 minutes)

  • Presentation: Serialization and deserialization is the process of bundling up data into a structured form and then returning the original data from the structured. This module covers some of the techniques that could be used for appropriate serialization and deserialization.
  • Exercise
  • Discussion
  • Q&A

Memory Management (25 minutes)

  • Presentation: Applications may dynamically allocate memory. This module is about best practices for memory management.
  • Exercise
  • Q&A