# Application Security Training 課程介紹 [toc] <br> ## 課程介紹 本課程時數預計約6hr, 適合初階資安工程師或是有軟體工程背景的學員 難度設定在初階到中等之間，受眾相對廣泛 課程中會使用範例來介紹在軟體開發時會遇到的問題點 課程結束後，可了解如何使用資安原則、主流攻擊技巧演練與如何透過安全設計來做防禦。 <br> ## 講師介紹 Billy (0xbc000)：NYU電腦工程研究所畢業，在加密貨幣產業擔任產品安全工程師。專注在 Application Security, 滲透測試, Secure Design等領域 持有證照包涵以下 - [OSCP](https://www.credly.com/earner/earned/badge/e3ceddee-13d0-44c8-9138-cc47fb135300) - [OSEP](https://www.credly.com/earner/earned/badge/33e7fd21-90bc-4080-86e0-1621b2e2fa06) - [ARTE](https://training.hacktricks.xyz/certificates/d63dc5fa-32cc-4242-850e-e74fb5bd1698) <br> ## 受眾要求： - 了解TCP/IP - 基本程式知識(bash, python, perl) - 基本Linux知識 <br> ## 課程大綱 ### Introduction to Application Security * What Is Application Security? * Why Needs Application Security * Threats In Applications ### SSDLC * Overview of SSDLC * Overview of Application Security Testing * Problems in Real World SSDLC ### Secure Design & Threat Modeling * Intro To Secure Design * Confidentiality / Integrity / Availability * Secure Design Principles * Threat Modeling * Secure Code Review Techniques ### Web Application Security * Intro to Authentication * Password Reset * SQL Injection * SQL Injection Source Code * XSS * Stored XSS Source Code * Arbitrary File Upload * File Upload Source Code * Remote Code Execution * Command Injection Soucre Code * LFI / RFI * File Inclusion Source Code * Access Control Issue * Server-Side Request Forgery (SSRF) * Race Condition ### Lab * Burp Suite Intro * Web Application Attack Lab - DVWA * Java Code Review 101