# Application Security Training [TOC] # 課程介紹 本堂課程，首先會介紹現在流行的SSDLC開發方式，以及為何需要SSDLC 在每個環節，會介紹如何以資訊安全的角度切入來遵循security best practice - 如何設計/檢驗一個安全的功能 - 威脅建模 - Secure Code Review的思路 - Penetration Testing 課程中，除了常見的bloackbox penetration testing以外 會介紹如何以白箱(whitebox)的方式去做secure code review <br> 本課程難易度為中等，適合軟體工程師/資安工程師等參與開發流程的人員 預估上課時間為6小時 <br> # 講師介紹 Billy Chang - 資安工程師 任職於加密貨幣產業，負責產品安全設計以及安全檢測 專注在Application Security，Source code review，逆向工程等方向 目前持有OSCP和OSEP，同時也是CYBERSEC 2022/2023 資安研討會的分享者 喜歡將艱深的技術以淺顯易懂的方式分享 * https://hackmd.io/@0xbc000/malware * https://pentestwriteup.blogspot.com/2017/10/offensive-security-certified.html <br> # 先修技能 * 了解TCP/IP * 基本程式知識(bash, python, perl) * 基本Linux知識 <br> # Course Content ### Introduction to Application Security * What Is Application Security? * Why Need Application Security * Threats In Applications * Lab Setup ### SSDLC * Overview of SSDLC * Overview of Application Security Testing * Problems in Real World SSDLC ### Secure Design * Intro To Secure Design * Confidentiality * Integrity * Availability * Secure Design Principles * Threat Modeling * Secure Code Review Techniques ### Application Security Intro * Intro to Authentication * Password Reset * Access Control Issue * SQL Injection * SQL Injection Source Code * XSS * Stored XSS Source Code * Arbitrary File Upload * File Upload Source Code * Remote Code Execution * Command Injection Soucre Code * LFI / RFI * File Inclusion Source Code * Server-Side Request Forgery (SSRF) * Race Condition ### Lab * Burp Suite Intro * Web Application Attack Lab - DVWA * Java Code Review 101