This course is aimed at analysts, developers, and engineers. Web security will be described in a language-independent way, but examples will be used from Java to illustrate concepts in practice.
A basic background in programming with a mainstream programming language will be helpful but is not necessary.
This course will introduce modern web security, with a focus on HTTPS and the Secure Socket Layer (SSL) standard. In the age of the modern web application, security has to be taken very seriously. Applications written to work without an eye for security - storing information in cookies and plain-text HTTP - can leak sensitive user information and cause enormous business risk.
This is a deep, one-day introduction intended to get IT managers and analysts from a basic understanding of cryptography to a complete understanding of security in the modern web stack. The instructor has over a decade of experience working with web application design and development. We will use examples from real life to illustrate the instruction.
At the end of this course, attendees will:
- Understand the need for web security, and the different techniques available to secure web applications
- Learn the basics of modern cryptography, including encryption algorithms, public key infrastructure, hashing, and the underlying theory from discrete mathematics
- Gain knowledge of protocol-level security mechanisms, attack vectors, and best practices, with a focus on HTTPS and SSL.
Introduction to Cryptography
- What is Cryptography
- Underlying Theory: Discrete Math
- Use Cases and Benefits
- History of Cryptography Algorithms
- Illustration of weak encryption basic ciphers
- Illustration of encrypting messages with PGP
- Context in Web Security
Public Key Encryption
- Symmetric Key Algorithms
- Asymmetric Key Algorithms
- Block vs. Stream Ciphers
- Evaluating strength of an algorithm
- Need for Public Key Infrastructure
- The concept of a Certificate Authority
- Alternative: Web of Trust
- Modern Certificate Authorities
- ROT13, for illustration
- DES / AES
- SHA-1 / SHA-256
- DSA / RSA
- Java code example for RSA
SSL / TLS
- SSL 3.0
- TLS 1.0 / 1.1
- TLS 1.2
- Stepping through a TLS Handshake
- Error Conditions
- Code illustrating SSL/TLS in practice
- Modern usability problems surrounding web security