The course introduces junior and middleweight web developers as well as project managers to the concepts of web security in order to minimise the risks posed by website security breaches to both organisations and the public. From an introduction to security breach issues, through to a review of security coding strategies and practical workshops, delegates will gain an extended knowledge to help them build web applications that are safer for both the organisation, its clients and the public to use.
Follow-up telephone support and, for training on Transmedia premises, lunch and refreshments.
What is web security?
- From a non-technical perspective, this section of the course will expose the delegates to the different issues surrounding web security, including identifying who may cause a security breach, the situations that may lead to a security breach and an identification of the methods that can be used to eliminate the majority of security breaches.
Delegates will learn how to identify:
Who poses a security risk
- Different security breach levels of a web system
- Potential consequences of security breaches
- Types of web security solutions
- How to strike a balance between security and functionality
Security Breach Targets and Techniques
- During this section of the course, delegates will learn the 3 main areas that a website can be attacked and the methods that a hacker can use to manipulate a website or web system into providing unauthorised access or alteration of information. Delegates will learn about:
- Server scripts
- SQL Injection
- XSS (Cross Site Scripting)
- E-mail Injection
- Form Spoofing
Security Coding Strategies Workshop
- This section of the course will be used to engage delegates in using the previously identified security breach techniques in developing a real application, showing how the system can be manipulated by the previous hacking techniques and how security can be efficiently built into the code.
- By-passing a user sign-in form without using a password
- Finding information about a database structure by using SQL injection to cause errors that reveal information about table names and their fields
- Methods and design patterns to eliminate SQL injection
- Hijacking and sending an e-mail to multiple people from a contact form
- Protecting against e-mail injection
XSS (Cross Site Scripting)
- Stealing of passwords and session hijacking
- Methods and code patterns to protect against cross-site scripting.
- Ordering a product from an e-commerce shop without making payment
- Developing processing scripts that will only accept information sent from trusted IP addresses
- Creating encrypted authentication keys based on a mixture of fixed and variable information such as a system password, user provided name and IP address
Multi-location Storage Strategy
- Storing information across multiple server locations to minimise the effect of security breaches
- Developing an API based framework to allow a system to be stored across multiple servers and use multiple databases to obtain store information