>>

Security Testing for Developers

Who is this course for?

Developers who want to start performing security tests themselves within their development team on their own software, with the goal of identifying vulnerabilities and resolving them before a release. Participants must be proficient in at least one programming language, have a basic knowledge of system design and an interest in security and hacking. With the help of your development skills and your experience around infrastructure and web/other applications, you will exploit various vulnerabilities under the supervision of the trainer. So it is helpful if you feel comfortable in your programming language and in applying it on technical assignments.

Why should you take this course Security training for Developers?

Security is playing an ever greater role in organisations and as a developer, you have an important role in assuring quality and security in your development process and code base. As a developer, you may already know some principles around secure development, or you may already have completed a security awareness session for developers. And now you want to know more about how hackers go to work and you want to get down to security testing yourself within your organisation.

Results

After completing the course, you will have a good understanding of the what and why of security testing and have gained experience of the testing itself. You will be able to independently perform security testing.

  • After the course, you will be able to:
  • Analyse an application/process from the point of view of security testing,
  • Provide input about security risks on a project,
  • Advise on security testing for a project,
  • Advise on the necessary tools and actually use the most important tools,
  • Interpret the results (of test performance and tooling) – for example, filtering out false-positives
  • Perform substantive technical security tests on a wide range of components.

Programme: theoretical framework

In order to perform security tests in practice, you first need to have a framework within which to place the security testing. When teaching the theoretical framework, we discuss:

  • Context and sketching out the landscape. What do the typical security threats to an organisation consist of?
  • Security and risks: how is security discussed in an organisational context? Which risks need to be addressed?
  • What tools are available to address those risks, and what role does testing play in this?
  • Which forms of security testing are there, and when is which form appropriate?

Programme: practice

After setting the theoretical framework, we will turn to practice. The breakdown will be about 25% theory and 75% practice. During the practical components, you can experience for yourself which different vulnerabilities we observe in web applications and infrastructure and how as a developer you can test for them yourself

(manually and with the help of tools). The exercises will mainly consist of challenges which the participants can tackle independently.

Topics covered in the practical section include:

  • What does a security test on an infrastructure, mobile app, web application or API endpoint look like?
  • Identifying the attack surface of an infrastructure (e.g. port and protocol scanning).
  • Looking for configuration problems in an infrastructure.
  • Looking for any hidden services in an infrastructure (e.g. firewall evasion and service discovery).
  • Testing whether sensitive data are adequately protected when they are sent between the client and the server (e.g. SSL/TLS configuration vulnerabilities).
  • Testing the authentication layer (e.g. authentication bypass and brute-forcing).
  • Testing whether authorisation controls are applied consistently and correctly (e.g. identifier-based authorisation
  • and enumeration).
  • Testing for various session-related vulnerabilities (e.g. cross-site request forgery, session hijacking, CORS).
  • Testing for some defence-in-depth and configuration vulnerabilities (e.g. cookie flags, brute-force protection and session management).
  • Testing for various injection vulnerabilities (e.g. SQL injection and cross-site scripting).

Training by our hackers

The most important thing that sets our courses apart is that they are taught by our own ethical hackers with programming knowledge. Our trainers are first and foremost passionate hackers who apply their skills to complex security projects on a daily basis. And who better to train a developer than a hacker?

Thanks to the enthusiasm with which they communicate their knowledge and vividly illustrate it with examples and practical situations, they are valued as trainers and guest speakers. Our trainers work at and are educated to higher vocational level/university level and are selected for their good communication and social skills.

Our vision of learning

We strongly believe in ‘learning by doing’. A theoretical framework is important for placing security testing within the security domain. But in order to really make the world of hacking tangible and increase security awareness, it is important to get the participants involved in practical assignments. At Computest, about 75% of the course consists of hands-on training.

With the help of interactive sessions and a range of challenges, participants learn to hack, draw up security plans and/or carry out tests. Our trainers supervise them intensively during the assignments and answer questions so that they can work independently in practice.

Assuring quality

Daan Keuper is responsible for the overall quality of our training. He is a top hacker; he has finished third in global hacking competitions three times and made the news by finding vulnerabilities in the iPhone and in a passenger vehicle. He also has over 10 years of experience in delivering security and other training courses for technical and non-technical participants.

Daan develops the customised courses, provides the teaching materials and constantly keeps them up to date. He delivers courses himself and is also responsible for selecting, training and supervising other trainers. Daan regularly sits in on courses to monitor their quality and the professionalism of the trainers and to provide guidance where necessary. We also ask our participants for feedback after each course by means of an anonymous tool. This feedback is discussed by Daan and the trainers in order to further improve our courses.

Price, dates and location

The course costs €2400 per person. We run the course on three consecutive days so that participants can really leave their daily work behind and focus completely on the world of hacking. We provide a pleasant and relaxed learning environment. The courses are held at the Computest office. We have a beautiful space available for this purpose with a roof terrace, and we also serve a delicious lunch. In-company training can also be delivered at the customer location.

Customisation

Tailor-made courses are always an option, for large or small groups. Thanks to the broad knowledge we have in-house, we can provide courses for all kinds of target groups and to a very high technical standard. Courses can also be focused on a particular topic, for example mobile apps. As such, you will always be able to find an appropriate course or have one tailored to your needs. Please contact us to discuss the options.

Request more information

Computest Academy

Want to know more? Contact us!