Upcoming Courses‎ > ‎

3 Day Web and Mobile Security Training in London, UK - October 24-26, 2016

posted Sep 16, 2016, 11:23 AM by Ron Munitz   [ updated Sep 16, 2016, 11:26 AM ]

On October 24-26, 2016, I will be teaching my 3-day Web and Mobile course at CodeNode
Registration is via the following link, and the full course outline is listed below.
Note the insane discounts for those who will
register by the end of next week


In this hands-on course, you will learn how to secure your Web and Mobile applications, as well as how the Android Platform handles security from the inside-out. You will learn about leading attack vectors on web applications (including mobile web and native mobile), via a combination of theoretical lectures, vulnerability identifying labs, and vulnerability fixing labs.

By the end of this course you will be able to better protect your web and mobile application code, the organization’s Intellectual Property and the application user’s data, in addition to getting a lifetime worth skill of obtaining an attacker point of view approach to writing more secure and more robust code.

Duration: 3 Days

To take this course, you must have practical software development experience, and feel comfortable about getting into new concepts and programming languages.
In particular, you must have a working knowledge of Java. 
Android development experience is recommended, but developers new to Android would also benefit significantly from the course.


Upon completion of this course, you will be able to:

  • Recognize and avoid insecure patterns in code

  • Use the most suitable security APIs when coding

  • Understand the difference between web and mobile security state of mind.

  • Understand and mitigate the risks of Web Applications

  • Understand and mitigate the risks of the Android ecosystem

  • Use penetration testing tools to find vulnerabilities in code


Web and mobile developers, both backend and frontend developers.
Security personnel, development managers and decision makers would benefit significantly from the theoretical sessions and demonstrations.  


Introduction to Security

  • Introduction to Security

  • Legacy and modern threats

  • Physical and Hardware Security

  • Cyber Security terminology

  • Real-time attack map demonstration. Why and who should be worried.

  • Present-time attack vectors

  • Present-time defense solutions

Binary Exploitation Overviw

  • Motivation: Exploit Piggy-backing on Higher Level Technologies

  • Buffer Overflows and stack smashing attacks 

  • Shellcode construction 

  • String format errors 

  • Integer overflows 

  • Heap overflows and heap spraying techniques, memory corruption and double free attacks

  • Understanding dynamic library and hooking injection attacks, misusing LD_PRELOAD

  • Compiler and Operating System mitigation techniques 

  • Return Oriented Programming and mitigation techniques

  • Understanding combined data leak attacks

  • Piggy-Backing revisited: Attacks on PDF, Flash, JavaScript, WebKit, Email, Images, Video Payload, Applets, JVM.

Web Application Security

  • Web Application Architecture

  • The OWASP top 10 vulnerabilities

    • A1-Injection

    • A2-Broken Authentication and Session Management

    • A3-Cross-Site Scripting (XSS)

    • A4-Insecure Direct Object References

    • A5-Security Misconfiguration

    • A6-Sensitive Data Exposure

    • A7-Missing Function Level Access Control

    • A8-Cross-Site Request Forgery (CSRF)

    • A9-Using Components with Known Vulnerabilities

    • A10-Unvalidated Redirects and Forwards

  • OWASP top 10 Labs

    • Vulnerability identification

    • Vulnerability exploitation

    • Vulnerability fix

    • Using WebGoat and Zed Attack Proxy

Cryptographic Risks

  • The Problem With Passwords

    • Using Weak Passwords

    • Password Iteration

    • Default Passwords

    • Password Replay Attacks

    • Stop Storing Plaintext Password  

    • Rainbow Tables Explained

    • Too Much Information -­ Invalid User or Password

  • The Problem With Random Numbers

    • PRNG, CRNG and TRNG

    • Find Code That Use Incorrect RNG

    • Determine Properly Seeded CRNG

  • The Problem With Crypto Algorithms

    • Roll Your Own Algorithm

    • Using The Wrong Algorithm

    • Forgetting The Salt

    • The Difference Between Authentication, Encryption and Temper-­Proofing

    • Algorithms Are Not Future­-Proof

Network Protocols Security

  • The 5/7 Layers Models

  • Network Traffic Risks

    • Eavesdropping

    • Replay

    • Spoofing

    • Tempering

    • Hijacking

  • Network Vulnerabilities

    • ARP Poisoning

    • Man In The Middle

    • (D)DoS Attacks

  • Network Authentication and Protocols

    • Kerberos / NTLM

    • SSL and HTTPS

  • Further traffic sniffing: Wireshark, Charles Proxy, Burp Suite and ZAP.

Android Security

In this section, most of the topics here will be discussed and presented with demos, with hands-on labs on the Secure programming sections (using the Java Cryptography Engine API in Android, and applying permissions).

  • Android Overview - Bottom up discussion

    • Hardware overview: What makes an Android device.

    • Linux Kernel boot process and provided functionalities

    • Native User Space: Init services, daemons, executables and libraries

    • Enabling Java (Dalvik + ART)

    • JNI bridge layer

    • Java OS Layer (Android Frameworks)

    • Application (APK) Structure

    • System Applications

    • User Applications

    • Google Play Services

  • Android Platform Security

    • Linux driven security sandbox

    • OS and binary protection and exploitation: ASLR, PIE, DEP, RoP et. al.

    • Android hardware related permission enforcement

    • SELinux on Android

    • Data partition forensics protection via Internal and external storage encryption

    • Secure Boot

    • Android Signature model and verification:

      • Platform keys and platform app signing. Google, OEM’s and integrators.

      • Third party (and play store) application signing.

    • Android application sandbox: Single and multi physical user.

    • Android Permissions:

      • Pre-Marshmallow (API Level < 23)

      • Post-Marshmallow: User policies, user responsibilities, application developer responsibilities, dynamic permission checking and revocation.

      • Defining custom permissions, restricting Application components (Activity, Service, Content Provider, Broadcast Receiver)

    • Android Security Patches

    • Android Nougat Security Features (NEW!)

  • Android Application Secure Coding I: Code and app behavior

    • Reverse Engineering and Data extraction demo: Motivation.

    • Code protection techniques: Obfuscation, stripping, encryption, anti-tampering techniques. Native code techniques with NDK, gcc, and clang.

    • SQL Injection and protection from it.

    • Manifest level component access control

    • IPC level runtime component access control

    • Webview and Javascript protection/restriction best practices for hybrid apps

    • Protecting from other applications, protecting from user judgement

    • Dynamic permission control best practices

    • Introduction to Android cryptography: BouncyCastle, BoringSSL

    • Protecting WebView code

  • Android Application Secure Coding II: Securing User and Application data.

    • Android Storage layout - what’s open and what’s not.

    • SQLite inspection and protection with CQLCipher

    • Introduction to applied cryptography

      • Cryptography goals: Authentication, Integrity, Encryption.

      • Symmetric and Asymmetric cipher suites

      • Key generation techniques and trade-offs

      • Software vs. Hardware based techniques.

    • Android Applied cryptography

      • Protection models (Encryption vs. Authentication)

      • Software based protection via software based cryptography

      • Hardware based protection via the keystore

  • Android Application Secure Coding III: Secure Network Communications

    • Network privacy dangers: Packet sniffers and interceptors. MITM attacks.

    • Certificate Authority (CA) Chain of trust: A solution and the introduced problems

    • Secure communication with TLS/SSL

    • Encrypted network privacy dangers: Sniffers and interceptors. MITM attacks.

    • CA management in Android: Platform and application management

    • Custom TrustManager’s and Certificate pinning

    • IP layer security, introducing VPN API.