Web Security for utviklere

Innsikt i de ulike sikkerhetsutfordringene, og de mest vanlige og alvorlige sårbarhetene en webapplikasjon kan ha. Forståelse av hvorfor disse feilene oppstår, hvordan man oppdager dem og hvordan man skal beskytte seg.

Kursinnhold

Du vil lære hvordan du skal se etter sårbarheter som SQL-Injection, Cross-Site Scripting (XSS), autorisasjonsfeil med flere på en web-basert nettbutikk som settes opp i et Lab-miljø. Det vil deles ut oppgaver, med løsningsforslag. Oppgavene vil både være tilpasset deg som er ny på fagfeltet, og de som takler mer avanserte oppgaver om hvordan man tar et angrep videre til utnyttelse (exploiting). Kurset er basert på forelesninger og ulike øvelser. Det legges vekt på aktiv deltagelse.

Agenda:

  • Introduksjon: Web Server feilkonfigurering, manglende bruk av kryptering, manglende URL-begrensning, HTTPS sikkerhet, usikker videresending.
  • Bakgrunnsinformasjon
  • Sikker utviklingsmetodikk
  • SQL-Injection
  • Cross-Site Scripting (XSS)
  • Autentisering og autorisasjon
  • Usikker referanse til objekter
  • Cross-Site Request Forgery (CSRF)
  • Oppgaver

Gjennomføring

Kurset er basert på forelesninger og ulike øvelser. Det legges vekt på aktiv deltagelse. Egen bærbar PC må tas med på kurset. Kravene til Laptop ‘en er at den har mulighet for å benytte Wi-Fi og har en ethernet tilkobling slik at man kan koble seg til vårt web-baserte testsystem og internett.

Datamaskinene trenger en nyere versjon av Java for å kunne kjøre BurpSuite (portswigger.net/) og Mozilla Firefox installert. En liste med anbefalte plugins til Mozilla Firefox vil bli gitt til kursdeltakeren i forkant av kurset.t for å kunne benyttes i kurset.

Forkunnskaper

Kurset har en rekke praktiske oppgaver og det kreves derfor at deltakeren besitter kompetanse innenfor programmering av web-applikasjoner. Det er ingen krav til hvilket programmeringsspråk du benytter, men det er anbefalt at du er komfortabel med HTML-kildekode og har noe kjennskap til hvordan webapplikasjoner lages.

Kursmateriell

Kursavgiften inkluderer dokumentasjon, kursbevis, lunsj og kaffe/te. Kursmateriellet dekker over alle emner i kurset.

Kursholder

Kursholder er rådgiver hos Watchcom og arbeider daglig med temaene det undervises i, noe som gjør kurset dagsaktuelt med god forankring i virkeligheten. Kurset holdes på norsk. 

Eksamen/ sertifisering

Kurset inneholder en avsluttende eksamen som fører til sertifiseringen CCSP - Web Security. CCSP står for Certified CyberSecurity Professional, og er et sertifiseringsprogram som holdes i samarbeid med Securitylab. Eksamensavgift (ett forsøk) er inkludert i kursprisen.

Informasjon

Personlig informasjon

Adresseinformasjon

Ytterlig informasjon

Betingelser og vilkår

This notice explains how Combitech, collects, uses, discloses, transfers and stores and personal data relating to you, such as your name, address, etc. (“Personal data”)

Why do we collect your Personal Data

The purpose of Combitech´s processing of your Personal Data in relation to the course is (i) to be able to handle the administration around the course, (ii) to facilitate current and/or future engagements between Combitech and you or your employer (iii) and to update you about other upcoming courses.

What Personal Data do we collect from you and what do we do with it? 

The Personal Data collected by Combitech includes name, address, email address, telephone/mobile phone number, and food preferences. This Personal Data will be registered in Combitech’s Event Management System.  We also collect social security number (or for if you don’t have a Swedish social security number - citizenship and passport number) for access to the location where the event is held.

What is Combitech’s legal basis for the processing of your Personal Data?

Combitech’s processing of your Personal Data in our Event Management Systems is based on legal contract between you and Combitech. When registering, you are entering into a legal binding contract with Combitech. 

Combitech’s processing of your Personal Data in our Event Management Systems is also based on the legitimate interests pursued by Combitech. 

This means that Combitech is of the view that its interest in processing your Personal Data for the purposes listed above prevails the privacy violation that you are exposed to as a result of the processing. This conclusion from our balance of interest test is made especially due to the fact that (i) it is crucial for Combitech to process contact information to a representative of Combitech’s customers to facilitate our customer engagements; (ii) that the processing of your Personal Data is limited to the extent possible; and (iii) that you at any time may choose to opt-out from receiving communication from Combitech.

Legal basis for collecting social security number is for Combitech to fulfil a legal obligation when giving you access to the location for this event.

Who might we share your Personal Data with? 

Your Personal Data will be used by Combitech. Combitech will also share your Personal Data with suppliers and partners that carry out services on Combitech’s behalf such as different course responsibles.

How long do we keep your Personal Data? 

Combitech will store your Personal Data for a period of two years after your and/or your employer’s most recent interaction with Combitech. Combitech may, instead of destroying or erasing your Personal Data, make it anonymous such that it cannot be associated with or tracked back to you in any way. Personal data collected to fulfil a legal obligation will be stored for the envisaged time. 

What are your rights? 

If your Personal Data are incorrect or needs to be updated you may at any time request that we correct or update the Personal Data by contacting the controller (please find contact details below). You may also contact us if you no longer would like us to process your Personal Data, if you would prefer us to restrict our processing in any manner or if you no longer wish to receive information about Combitech’s products (We still need to process your personal data if you want to go one of our courses. If you don´t want us to process your personal data in relation to the course, you need to unregister from the course). We will then delete your Personal Data from our systems or restrict our processing of your Personal Data. [Please note however, that an erasure of your Personal Data or a restriction of our processing of your Personal Data may mean that we will not be able to provide our services to you, wholly or partially]. In addition, you may receive a copy of the Personal Data relating to you and information regarding our processing of such personal data by applying to the controller in writing. In such case, we will provide your Personal Data to you in a commonly used data format. 

If you have any queries regarding the processing of your Personal Data or wish to exercise any of the rights stated above, please write to the controller at the address provided below.  You have the right to lodge a complaint regarding how Combitech processes your Personal Data to the relevant data protection authority or similar body within your jurisdiction. 

How can you contact the controller and exercise your rights?

The controller for any Personal Data we hold about you is Combitech AB, corporate identity 556218-6790, Universitetsvägen 14, P.O Box 15042, SE-580 15 Linköping, Sweden. You can contact the controller at the following contact information: info@combitech.se Combitech is a company in the Saab Group.

Informasjon

Personlig informasjon

Adresseinformasjon

Ytterlig informasjon

Betingelser og vilkår

This notice explains how Combitech, collects, uses, discloses, transfers and stores and personal data relating to you, such as your name, address, etc. (“Personal data”)

Why do we collect your Personal Data

The purpose of Combitech´s processing of your Personal Data in relation to the course is (i) to be able to handle the administration around the course, (ii) to facilitate current and/or future engagements between Combitech and you or your employer (iii) and to update you about other upcoming courses.

What Personal Data do we collect from you and what do we do with it? 

The Personal Data collected by Combitech includes name, address, email address, telephone/mobile phone number, and food preferences. This Personal Data will be registered in Combitech’s Event Management System.  We also collect social security number (or for if you don’t have a Swedish social security number - citizenship and passport number) for access to the location where the event is held.

What is Combitech’s legal basis for the processing of your Personal Data?

Combitech’s processing of your Personal Data in our Event Management Systems is based on legal contract between you and Combitech. When registering, you are entering into a legal binding contract with Combitech. 

Combitech’s processing of your Personal Data in our Event Management Systems is also based on the legitimate interests pursued by Combitech. 

This means that Combitech is of the view that its interest in processing your Personal Data for the purposes listed above prevails the privacy violation that you are exposed to as a result of the processing. This conclusion from our balance of interest test is made especially due to the fact that (i) it is crucial for Combitech to process contact information to a representative of Combitech’s customers to facilitate our customer engagements; (ii) that the processing of your Personal Data is limited to the extent possible; and (iii) that you at any time may choose to opt-out from receiving communication from Combitech.

Legal basis for collecting social security number is for Combitech to fulfil a legal obligation when giving you access to the location for this event.

Who might we share your Personal Data with? 

Your Personal Data will be used by Combitech. Combitech will also share your Personal Data with suppliers and partners that carry out services on Combitech’s behalf such as different course responsibles.

How long do we keep your Personal Data? 

Combitech will store your Personal Data for a period of two years after your and/or your employer’s most recent interaction with Combitech. Combitech may, instead of destroying or erasing your Personal Data, make it anonymous such that it cannot be associated with or tracked back to you in any way. Personal data collected to fulfil a legal obligation will be stored for the envisaged time. 

What are your rights? 

If your Personal Data are incorrect or needs to be updated you may at any time request that we correct or update the Personal Data by contacting the controller (please find contact details below). You may also contact us if you no longer would like us to process your Personal Data, if you would prefer us to restrict our processing in any manner or if you no longer wish to receive information about Combitech’s products (We still need to process your personal data if you want to go one of our courses. If you don´t want us to process your personal data in relation to the course, you need to unregister from the course). We will then delete your Personal Data from our systems or restrict our processing of your Personal Data. [Please note however, that an erasure of your Personal Data or a restriction of our processing of your Personal Data may mean that we will not be able to provide our services to you, wholly or partially]. In addition, you may receive a copy of the Personal Data relating to you and information regarding our processing of such personal data by applying to the controller in writing. In such case, we will provide your Personal Data to you in a commonly used data format. 

If you have any queries regarding the processing of your Personal Data or wish to exercise any of the rights stated above, please write to the controller at the address provided below.  You have the right to lodge a complaint regarding how Combitech processes your Personal Data to the relevant data protection authority or similar body within your jurisdiction. 

How can you contact the controller and exercise your rights?

The controller for any Personal Data we hold about you is Combitech AB, corporate identity 556218-6790, Universitetsvägen 14, P.O Box 15042, SE-580 15 Linköping, Sweden. You can contact the controller at the following contact information: info@combitech.se Combitech is a company in the Saab Group.