HackMDApplication Security Training
課程介紹
本堂課程,首先會介紹現在流行的SSDLC開發方式,以及為何需要SSDLC
在每個環節,會介紹如何以資訊安全的角度切入來遵循security best practice
- 如何設計/檢驗一個安全的功能
- 威脅建模
- Secure Code Review的思路
- Penetration Testing
課程中,除了常見的bloackbox penetration testing以外
會介紹如何以白箱(whitebox)的方式去做secure code review
本課程難易度為中等,適合軟體工程師/資安工程師等參與開發流程的人員
預估上課時間為6小時
講師介紹
Billy Chang - 資安工程師
任職於加密貨幣產業,負責產品安全設計以及安全檢測
專注在Application Security,Source code review,逆向工程等方向
目前持有OSCP和OSEP,同時也是CYBERSEC 2022/2023 資安研討會的分享者
喜歡將艱深的技術以淺顯易懂的方式分享
- https://hackmd.io/@0xbc000/malware
- https://pentestwriteup.blogspot.com/2017/10/offensive-security-certified.html
先修技能
- 了解TCP/IP
- 基本程式知識(bash, python, perl)
- 基本Linux知識
Course Content
Introduction to Application Security
- What Is Application Security?
- Why Need Application Security
- Threats In Applications
- Lab Setup
SSDLC
- Overview of SSDLC
- Overview of Application Security Testing
- Problems in Real World SSDLC
Secure Design
- Intro To Secure Design
- Confidentiality
- Integrity
- Availability
- Secure Design Principles
- Threat Modeling
- Secure Code Review Techniques
Application Security Intro
- Intro to Authentication
- Password Reset
- Access Control Issue
- SQL Injection
- SQL Injection Source Code
- XSS
- Stored XSS Source Code
- Arbitrary File Upload
- File Upload Source Code
- Remote Code Execution
- Command Injection Soucre Code
- LFI / RFI
- File Inclusion Source Code
- Server-Side Request Forgery (SSRF)
- Race Condition
Lab
- Burp Suite Intro
- Web Application Attack Lab - DVWA
- Java Code Review 101
