Objective:
The objective of this course is to create awareness among those involved in the development of software solutions with GeneXus about the importance of security and techniques for the detection, validation, and mitigation of potential risks in applications.
It is mainly focused on GeneXus users, from analysts, developers, and testers to project managers, who want to learn more about the main security risks existing today.
The latest publication of the OWASP Top 10 ranking is used as a reference and guide for the course. This publication includes the most common risks facing applications today.
Oriented at:
The course is oriented mainly at individuals who work with GeneXus, such as analysts, developers and testers, and also project managers who wish to be informed of the main security risks of today.
Recommended backgroud:
A minimum of 6 months of development experience with GeneXus Web is recommended.
Modes: This level is available in the following modes:
Classroom: Classes are taught by a GeneXus instructor and students must attend all of them in person. The total duration of the course is 24 hours, and it is divided into six four-hour instances.
Requirements:
Participants must attend the course with their own computers, which must include the possibility of wire or wireless connection to the testing environment that will be deployed. Access is through remote desktop.
Exam:
The in-person exam takes place on a PC, including multiple choice and True/False questions intended for verifying whether the student has actually comprehended the basic concepts dealt with during the course. The minimum passing grade is 70%. The corresponding certificate is awarded to all students who pass the exam.
Online: The total duration of the course is 24 hours, and it is divided into six four-hour instances.
Requirements:
Participants will use their own equipment (laptops or PCs) with an Internet connection. To follow the course, attendees will be provided with access to a cloud-based work environment through a remote desktop. No GeneXus or other software licenses are required.
Exam:
An exam will be administered on the last day of the course. This exam will consist of multiple-choice and true/false questions in order to assess whether the student has effectively learned the concepts explained during the course. The minimum passing grade is 70%. Candidates who pass the exam will receive the corresponding certificate (issued by the product manufacturer).
Methodology:
The course has a theoretical approach detailing the basic concepts necessary for dealing with security issues, as well as a practice section that is the most extensive in terms of duration.
The following aspects are considered for each item in the OWASP Top 10:
- Demo, on a sample application, for understanding vulnerability.
- Theoretical explanation about the risk implied.
- What GeneXus does automatically to avoid it or to mitigate it.
- What the developer should do to avoid it and possible solutions.
- How to detect in case any action is required.
- Practice exercise in GeneXus to detect, exploit, solve and verify the problem.
Practice exercises are done by the assistants by accessing a virtual machine handled by the instructor through a LAN configured for the course.
Instructor
The course instructor will be one of the following professionals:
Scope:
The course refers and is guided by the latest publication of the OWASP Top 10 ranking, which includes the most common risks of applications today.
The following are the course’s main topics:
Introduction:
Introduction of the instructor, as well as the topics to be dealt with throughout the course and the working method.
GeneXus & OWASP TOP 10
The OWASP Top 10 subjects to be considered are:
1. A1-Injection
a. SQL
b. XML
c. OS
d. Código fuente
2. A2-Broken Authentication and Session Management
a. Authentication
b. Session management
c. Transmittal
3. A3-Cross-Site Scripting (XSS)
a. Format validation in enriched texts
b. Encoding of the developer’s written code
4. A4-Insecure Direct Object References
a. Direct calls to objects
b. Insecure generation of temporary files
5. A5-Security Misconfiguration
a. Password change of encoding
6. A6-Sensitive Data Exposure
a. Passwords
b. Logs
c. Sensitive information
d. Sensitive data in intermediate files
e. HTTPS
f. Hidden fields
g. HTTP Headers
7. A7- Missing Function Level Access Control
a. Security for events
b. Modes in TRNs
8. A8-Cross-Site Request Forgery (CSRF)
9. A9-Using Components with Known Vulnerabilities
a. Components used by GeneXus
b. GeneXus – User Controls Extensibility
c. Software base
10. A10-Unvalidated Redirects and Forwards
Secure development cycle
1. Introduction of tasks required for achieving an efficient and effective approach in terms of security.
Materials:
The course materials are delivered in digital format to all attendants through electronic mail.
The work environment for practice is installed in a virtual machine accessed through remote desktop, which contains the following elements:
- Examples of vulnerabilities in applications (WebGoat),
- GeneXus and a working KB,
- Application generated from the KB,
- Support tools (ZAP, Firebug, others)
The testing environment is not delivered to course attendants because it is used exclusively for imparting the course.
