Application Security Training

With a proven track record for providing security consultancy for businesses around the world, we offer a wide range of services that help organisations build robust cyber security strategies, including a full programme of cyber security training.

 

According to ISACA’s 2015 Global Cyber Security Report, 86% of their members believe that skilled cyber security professionals are difficult to come by, with 54% agreeing that it is difficult to identify who has an adequate level of skills and knowledge for a cyber security position. The global survey also found that 86% of respondents see a global cyber security skills gap.

We believe that increasing awareness and building the cyber skillset should start from inside your organisation. Our range of security courses are designed to help you see things from an attacker's point of view and better understand how to secure your networks and applications.

 

Hacking and Securing Web Applications

 

Hacking and Securing Web Applications is a three-day course aimed at software developerssoftware architects,security consultants and quality assurance engineers who want to understand how attackers uncover and exploit vulnerabilities in web applications, and what can be done by developers to
prevent it.

The course covers the methodology to assess the security of a web application and gives detailed guidance on secure development, relating to both the design and implementation of web applications.

 

Course Overview

  • Breaking and building robust authentication and authorisation mechanisms and session management routines
  • Uncovering and exploiting SQL injection, filter bypasses, query chaining and blind exploitation
  • Guidance on how to interact securely with database management systems (DBMS)
  • Bypassing client-side controls, and reverse engineering JavaScript and thick client components
  • Detecting and exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network and execute custom payloads
  • Avoiding cross-site scripting and other client-side flaws.
  • Validating user input effectively
  • Uncovering business logic flaws with dynamic analysis and static code analysis and good practice techniques to address these

The course is a mix of presentations and hands-on labs sessions where you can practice and experience how application vulnerabilities are detected and exploited by attackers and how applications can successfully defend against these attacks.

The course is run over three consecutive days, but a shortened version over two days can also be offered.

 

Agenda

  • Day 1 Introduction to web app security, environment setup, application mapping, use of automation, client-side controls
  • Day 2 Authentication, session management, access controls, injection flaws (SQL injection, command injection, code injection, SMTP injection, XML injection, etc.)
  • Day 3 Business logic flaws, client-side vulnerabilities, file system interaction, handling bad input and web application vulnerability scanners review

 

Pricing

We offer in-house and public courses. Prices are available on request.

 

Get in touch   Course details

 

 

Processor, OS and Compiler Foundations

 

Processor, OS and Compiler Foundations is a two-day course aimed at consultantscode reviewersreverse engineers and exploit developers who want to understand how native programs work and assess their security without access to source code.

The course covers methodologies to understand native code from both a static analysis perspective using disassemblers and a dynamic perspective using debuggers. It also covers some common classes of security vulnerability and methods to detect them.

 

Course Overview

  • Introduction to x86 assembly language
  • Compiling a simple program, disassembling it and running it under a debugger
  • Introduction to debugging techniques and the various tools available
  • Using a debugger to solve a series of “crackme”-style challenges
  • Introduction to reverse engineering using IDA
  • Using a disassembler to understand a series of “reverseme”-style challenges
  • Understanding common coding errors in C
  • Combining the tools and techniques to perform a black-box vulnerability assessment

The course is a mixture of presentations and hands-on lab sessions where you can practice debugging and reverse engineering.

The course is run over two days but the second day covering the black-box assessment can be omitted when the course is used as an introduction to the Exploit Development course.

 

Agenda

  • Day 1 Introduction to x86, debugging techniques and labs, reverse engineering techniques and labs.
  • Day 2 Common C coding errors, deep C, black-box product assessment.

 

Pricing

We offer in-house and public courses. Prices are available on request.

 

Get in touch   Course details

 

 

 

Exploit Development

 

Exploit Development is a three-day course aimed at consultantscode reviewers, reverse engineers andexploit developers who want to understand how vulnerabilities in native code can be exploited.

The course covers exploitation from simple stack overflows to type confusion bugs in C++ code using a variety of techniques including return oriented programming and engineering read/ write primitives.

 

Course Overview

  • Exploiting stack overflows
  • History of exploit mitigations including stack cookies, SafeSEH, DEP and ASLR and common techniques to bypass them
  • Return oriented programming (ROP)
  • Writing custom payloads/shellcode and encoding them to get around filters
  • Exploiting C++ vulnerabilities by building read and write primitives

The course is a mixture of presentations and hands-on lab sessions where you can practice developing a variety of exploits.
The course is run over three days but the second day covering payload development can be omitted if desired.

 

Agenda

  • Day 1 Stack overflows, writing a simple exploit, mitigations, return oriented programming, developing a ROP exploit.
  • Day 2 Developing payloads and shellcode, common filters, writing filtered exploits.
  • Day 3 C++ internals, exploiting vtable overwrites, type confusion (casting bugs and use-after-free), exploiting type confusion bugs.

 

Pricing

We offer in-house and public courses. Prices are available on request.

 

Get in touch   Course details

 

 

 

Security in Software Development Lifecycle

 

This two-day course is aimed at senior software developers and QA engineerssoftware architectstechnical project/product/program managersbusiness analysts and team leaders who want to understand how to satisfy the expectations around security and privacy for software and hardware over which they have responsibility or liability.

The course covers the methodology to assess the existing software development lifecycle from security point of view and to build improvements roadmap that suits a particular organisation. It gives a detailed overview of known maturity models and available security related activities across all the stages of SDLC.

 

Course Overview

  • SDLC place in organisation security program
  • Maturity models
  • Types of SDLC: waterfall, agile, lean etc.
  • Stages of SDLC: requirements gathering, architecture and design, development, testing/validation, release/maintenance
    • Detailed coverage of security activities suitable for each stage
  • Software-centric threat modelling
    • Analysing and decomposing the application
    • Applying STRIDE to identify potential threats
    • DREAD and other methods of prioritisation
    • Determining countermeasures and mitigations

The course is a mix of presentations and hands-on exercises on threat modelling, where you can practice building threat models for a variety of software architectures and learn how design-level security mistakes can be spotted using the STRIDE approach.

 

Agenda

  • Day 1 Introduction to SDLC, maturity models, building improvements roadmap for your organisation.
  • Day 2 Threat modelling theory and exercises.

 

Pricing

We offer in-house and public courses. Prices are available on request.

 

Get in touch   Course details

 

 

 

Secure Coding in C and C++

 

This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. The intent is for this course to be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.

Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors. 



Course Overview

  • Improve the overall security of any C or C++ application
  • Thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic
  • Avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions
  • Eliminate integer-related problems: integer overflows, sign errors, and truncation errors
  • Correctly use formatted output functions without introducing format-string vulnerabilities
  • Avoid I/O vulnerabilities, including race conditions

Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

This courseware has been designed by Robert C. Seacord, a renowned computer scientist and author, known as the “father of secure coding.” Robert is a Principal Security Consultant with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed.

 

Pricing

We offer in-house and public courses. Prices are available upon request.

 

Get in touch      Course details

 

 

 

Secure Coding in Java

 

The two-day instructor-led Secure Coding for Java course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java LiveLessons videos.

Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.

 

Course Overview

  • Explain the need for secure coding
  • Follow fundamental secure coding guidelines
  • Validate and sanitize data
  • Explain the Java Security Model
  • Predict how the numerical types behave in Java
  • Avoid pitfalls in the use of characters and strings
  • Securely process input and output

Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

This courseware has been designed by Robert C. Seacord, a renowned computer scientist and author, known as the “father of secure coding.” Robert is a Principal Security Consultant with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed.

 

Pricing

We offer in-house and public courses. Prices are available upon request.

 

Get in touch      Course details