Back to course catalog

Go and Web Application Security

  • CL-GO
  • 2 days
  • Go, Web

Description

Web and mobile applications are built from multiple components, but one statement is true for most of them: they need a backend. Since the performance of Go is on par with C, but its design and syntax are much more developer-friendly, it is a popular choice for backend development. However, with great power comes great responsibility.

Following the topics outlined by OWASP but tailored especially for Go developers, this course provides a comprehensive overview of the most common security vulnerabilities in today's web applications and how to avoid them. Next to web security, the course also touches on the basics of cryptography and common Go coding errors through various exercises.

After successful completion of this course, participants will have an in-depth understanding about and hands-on practical experience with the secure coding best practices in Go.

Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Have practical experience with cryptography in Go
  • Know how to avoid typical coding mistakes and vulnerabilities in Go
  • Get sources and further readings on secure coding practices

Outline

  • IT security and secure coding
  • Web application security
  • Practical cryptography
  • Common coding errors and vulnerabilities
  • Principles of security and secure coding
  • Knowledge sources
Inquiry Course page in PDF

Course information

Preparedness

General Go development

Exercises

Hands-on

Delivery methods

Onsite / Virtual classroom

Course reviews

Our instructor was very knowledgeable and could easily cope with transferring that knowledge to people with different levels of experience in the presented field.

January 2021, Virtual, UK

Clear examples, exercises in the VM were good, building up from "first principles" helped understanding.

January 2021, Virtual, UK

I really liked the pacing, it gives time to explore a lot of subjects without just scratching the surface of them. Other than that I liked a lot the exercises in the VM, very nice addition.

January 2021, Virtual, UK

View all reviews

Related courses

Table of contents

  • Day 1
  • Day 2
  • IT security and secure coding
    • Security Introduction
      • Nature of security
      • What is risk?
      • IT security vs. secure coding
    • From vulnerabilities to botnets and cybercrime
      • Nature of security flaws
      • From an infected computer to targeted attacks
    • Classification of security flaws
      • Classification of security flaws
      • Landwehr's taxonomy
      • The Seven Pernicious Kingdoms 1/2
      • The Seven Pernicious Kingdoms 2/2
      • OWASP Top Ten 2021
  • OWASP Top Ten 2021
    • Broken Access Control
      • Typical access control weaknesses
      • Insecure direct object reference (IDOR)
      • Protection against IDOR
    • Exercise: Insecure direct object reference
    • Case study - Facebook Notes
      • Facebook Notes IDOR
    • Cryptographic Failures
      • Sensitive data exposure
    • Distributed guessing attack against payment cards
      • Information leakage weaknesses in online payment systems
      • Practical guessing attack
      • Real-world exploitation and countermeasures
    • Exercise: Reverse the irreversible - Deprecated cryptography
    • Injection
      • Injection principles
    • Injection - SQL Injection
    • Exercise: SQL Injection
      • Typical SQL Injection attack methods
      • Blind and time-based SQL injection
      • SQL injection protection methods
    • Case study - ImageMagick
      • ImageMagick remote code execution (RCE)
      • ImageMagick exploitation
    • Cross-Site Scripting (XSS)
      • Cross-Site Scripting (XSS)
      • Persistent XSS
      • Reflected XSS
      • DOM-based XSS
    • Exercise: Cross Site Scripting (XSS)
      • Exploitation: CSS injection
      • Exploitation: injecting the tag
      • XSS prevention
    • Insecure Design
      • Insecure design
      • Insecure design vs source code analysis
    • Exercise: Using recovery questions
    • Exercise: Denial of Service
    • Security misconfiguration
    • Exercise: Static directory listing
    • Exercise: Overly open CORS
      • Filtering file uploads
        • Filtering file uploads - validation and configuration
      • Case study - XXE in Google Toolbar
      • Vulnerable and Outdated Components
        • Vulnerability management
        • Vulnerability attributes
        • Common Vulnerability Scoring System – CVSS
      • CVE-2020-28483: HTTP Response Splitting
        • Vulnerable Gin versions
      • Identification and Authentication Failures
        • Session handling threats
        • Session handling best practices
      • Broken authentication - password management
      • Spot the bug: Password management
      • Exercise: Brute-forcing passwords
      • Exercise: Weak passwords
      • Preventing brute-force attacks
        • Rate limiting
      • Software and Data Integrity Failures
        • Supply chain example
      • Exercise: Dependencies from untrusted sources
        • Typosquatting
      • Security Logging and Monitoring Failures
        • Insufficient attack protection
        • Detection and response
        • Logging and log analysis
        • Intrusion detection systems and Web application firewalls
      • Exercise: Sensitive information in log files
      • Exercise: Log forging
      • Server-Side Request Forgery
        • Server-Side Request Forgery
        • SSRF examples
      • Exercise: Server-Side Request Forgery
        • HTTP request
        • Local file access
    • Practical cryptography
      • Cryptography Introduction
        • Rule #1 of implementing cryptography
      • Cryptosystems
        • Elements of a cryptosystem
        • FIPS 140-3
      • Symmetric-key cryptography
        • Providing confidentiality with symmetric cryptography
        • Symmetric encryption algorithms
        • Modes of operation
        • ECB - Electronic Codebook
        • CBC - Cipher Block Chaining
      • Symmetric key cryptography in Go
        • Encryption with AES
      • Exercise: Symmetric encryption with AES
        • Other cryptographic algorithms
        • Hash or message digest
        • Hash algorithms
        • Message Authentication Code (MAC)
        • Providing integrity and authenticity with a symmetric key
        • SHAttered
        • Defense against SHAttered attack
      • Other cryptographic algorithms - Hashing in Go
      • Exercise: Using a stronger hashing algorithm
        • Replace MD5 with SHA-256
        • Search for the new hash in Google
      • Other cryptographic algorithms - MAC in Go
      • Other cryptographic algorithms - Random number generation
        • Random numbers and cryptography
        • Cryptographically-strong PRNGs
        • Hardware-based TRNGs
      • Other cryptographic algorithms - Random Numbers in Go
        • Weak random numbers
        • Cryptographically secure random numbers
      • Exercise: RandomTest
      • Asymmetric (public-key) cryptography
        • Providing confidentiality with public-key encryption
        • Public-key cryptography
        • Rule of thumb – possession of private key
        • Combining symmetric and asymmetric algorithms
        • Signing with a private key
      • Public Key Infrastructure (PKI)
      • Public Key Infrastructure (PKI) - Root of Trust Concept
        • Root of Trust Concept
        • Man-in-the-Middle (MitM) attack
        • Digital certificates against MitM attack
        • Certificate Authorities in Public Key Infrastructure
        • Digital certificates
        • X.509 digital certificate
      • Exercise: Asymmetric encryption in Go
        • Encryption and decryption with RSA
    • Common coding errors and vulnerabilities
      • Input validation
        • Input validation concepts
      • Input validation - Integer problems
        • Representation of negative integers
        • Integer overflow
      • Arithmetic overflow
        • Arithmetic overflow - guess the output!
      • Exercise: IntOverflow
        • IntOverflow
        • What is the absolute value of the smallest integer?
      • Input validation - Integer problem - best practices
        • Integer problem - best practices
        • Avoiding arithmetic overflow - addition
        • Avoiding arithmetic overflow - multiplication
      • Integer truncation
      • Resource exhaustion
        • Missing defer
      • The unsafe package
    • Principles of security and secure coding
      • Principles of security and secure coding
        • Matt Bishop's principles of robust programming
        • Matt Bishop's principles of robust programming - I
        • Matt Bishop's principles of robust programming - II
        • The security principles of Saltzer and Schroeder
        • The security principles of Saltzer and Schroeder - I
        • The security principles of Saltzer and Schroeder - II
        • The security principles of Saltzer and Schroeder - III
        • The security principles of Saltzer and Schroeder - IV
    • Knowledge sources
      • Knowledge sources
        • Secure coding sources - a starter kit
        • Vulnerability databases

    Get more information

    Send inquiry
    Sending...