December 10, 2022December 21, 2022 Actual Training

Pelatihan REST API Security (PT Pamapersada)

Pada tanggal 29 November -1 December 2022 telah dilaksanakan pelatihan dengan topik REST API Security. Peserta dari pelatihan ini adalah software architect dari department Strategic Information System, PT Pamapersada Nusantara. Pelatihan ini dilangsungkan di Actual Training, Yogyakarta.

Dengan semakin popular nya aplikasi mobile, backend services, dan penerapan arsitektur microservices maka pengetahuan tentang bagaimana cara mengamankan aplikasi khususnya REST API semakin dibutuhkan, sehingga dapat meminimalkan serangan yang mungkin terjadi pada aplikasi backend yang kita kembangkan.

Tujuan dari pelatihan ini adalah membahas berbagai macam serangan dan ancaman keamanan pada aplikasi backend berbasis REST API.

Adapun materi yang disampaikan pada pelatihan REST API Security ini adalah sebagai berikut:

The Age of the API
The Hidden Nature of API Security
What Exactly Is an API?
What’s the Scope of This Course?
Introducing Supercar Showdown
Introducing the Vulnerable Mobile App
Discovering Device Communication With APIs
Who Are We Protecting Our APIs From?
Proxying Device Traffic Through Fiddler
Interpreting Captured Data in Fiddler
Intercepting Mobile App Data in Fiddler
Discovering More About Mobile Apps via Fiddler
Filtering Traffic in Fiddler
Alternate Traffic
Interception Mechanisms
Discovering Leaky APIs
Securing a Leaky API
Discovering Hidden APIs via Documentation Pages
Discovering Hidden APIs via robots.txt
Discovering Hidden APIs via Google
Securing Hidden API
Defining Untrusted Data
Modifying Web Traffic in Fiddler
Manipulating App Logic by Request Tampering
Response Tampering
API Authentication and Authorization Vulnerabilities
Introduction
Identifying Authentication Persistence
The Role of Tokens
An Auth Token in Practice
An Overview of Authorization Controls

Identifying Client Controls vs. Server Controls
Circumventing Client Authorization Controls
Testing for Insufficient Authorization
Testing for Brute Force Protection
OWASP API Security Top 10 goals
Broken Object Level Authorization
Broken User Authentication
Excessive Data Exposure
Lack of Resources and Rate Limiting
Broken Function Level Authorization
Mass Assignment
Security Misconfiguration
Injection Module Watched
Improper Assets Management
Insufficient Logging and Monitoring
Secure Coding with OWASP Resources
OWASP ASVS
Authentication
Session Management
Access Control
Securely Handling Input and Output Data
Protecting Sensitive Data
Secure Error Handling and Logging
Managing Vulnerable Dependencies
Protecting the Business Logic
Handling Untrusted Files
Hardening Configuration

November 9, 2020January 1, 2021 Actual Training

Online Training: ASP.NET Core Security

Pada tanggal 23-26 Oktober 2020, telah dilaksanakan pelatihan online dengan Judul ASP.NET Core Security. Peserta dari pelatihan ini adalah dosen dan pengembang aplikasi web dari Universitas Gunadarma.

Keamanan perangkat lunak merupakan pertimbangan penting ketika merancang dan mengembangkan aplikasi web. Meskipun pelanggaran keamanan dan ancaman dapat memiliki konsekuensi serius, ada beberapa langkah yang dapat dilakukan developer untuk menjaga keamanan aplikasi mereka.

Dalam pelatihan ini kita akan mempelajari teknik untuk mengamankan dan mengendalikan akses ke aplikasi ASP.NET Core. Juga akan dibahas cara menerapkan otentikasi dan otorisasi menggunakan kerangka kerja ASP.NET Core Identity dan otentikasi token dengan IdentityServer, dilanjutkan tentang pembahasan serangan yang paling umum, dan bagaimana melindungi sistem dari serangan tersebut (strategi untuk melindungi data sensitif dalam aplikasi termasuk enkripsi, perlindungan API, dan SSL).

Daftar Materi

Introduction to Web Security
Injection
Broken Authentication and Session Management
Cross Site Scripting (XSS)
Insecure Direct Object Reference
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Un-validated Redirects and Forwards
Discovering Device Communication With APIs
Leaky APIs and Hidden APIs
API Manipulation and Parameter Tampering
API Authentication and Authorization Vulnerabilities
Protect Against cross-site scripting (XSS) attacks
Protect Againts cross-site request forgery (XSRF) attacks
Protect againts SQL Injection Attacks
Define cross-origin resource sharing (CORS) policies
Open redirect attacks and URL manipulation
Data protection API Orverview
Use configuration builder and environment
Safe storage of application secrets during development
Protect client and server communication using SSL

ASP.NET Identity
Authentication and Authorization
Role Based and Claim Based Authentication
Security Best Practice (ASP.NET Core)

December 20, 2019February 16, 2020 Actual Training

Pelatihan ASP.NET Core Security – Batch 2 (PT Pertamina Pesero)

Pada tanggal 3 – 5 Desember 2019 telah dilaksanakan pelatihan inhouse dengan Judul ASP.NET Core Security. Peserta dari pelatihan ini adalah tim pengembang aplikasi backend dari PT Pertamina Persero. Pelatihan ini dilaksanakan di Pertamina Simprug Residence, Jakarta Selatan.

Pengajar pada pelatihan ini adalah Bapak Erick Kurniawan yang merupakan salah satu Microsoft MVP (Most Valuable Professional) di bidang Development Technology (ASP.NET Core, Xamarin Cross Platform, & Blazor).

Daftar Materi

Introduction to Web Security
Injection
Broken Authentication and Session Management
Cross Site Scripting (XSS)
Insecure Direct Object Reference
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
ASP.NET Identity
Security Best Practice (ASP.NET Core)
Discovering Device Communication With APIs
Leaky APIs and Hidden APIs
API Manipulation and Parameter Tampering
API Authentication and Authorization Vulnerabilities
Protect Against cross-site scripting (XSS) attacks
Protect Againts cross-site request forgery (XSRF) attacks
Protect againts SQL Injection Attacks
Define cross-origin resource sharing (CORS) policies
Open redirect attacks and URL manipulation
Encyrption basics
Data protection API Orverview
Use configuration builder and environment
Safe storage of application secrets during development
Protect client and server communication using SSL

November 22, 2019February 16, 2020 Actual Training

Pelatihan ASP.NET Core Security (PT Pertamina Pesero)

Pada tanggal 13 – 15 November 2019 telah dilaksanakan pelatihan inhouse dengan Judul ASP.NET Core Security. Peserta dari pelatihan ini adalah tim pengembang aplikasi backend dari PT Pertamina Persero. Pelatihan ini dilaksanakan di Pertamina Simprug Residence, Jakarta Selatan.

Daftar Materi

Introduction to Web Security
Injection
Broken Authentication and Session Management
Cross Site Scripting (XSS)
Insecure Direct Object Reference
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
ASP.NET Identity
Security Best Practice (ASP.NET Core)
Discovering Device Communication With APIs
Leaky APIs and Hidden APIs
API Manipulation and Parameter Tampering
API Authentication and Authorization Vulnerabilities
Protect Against cross-site scripting (XSS) attacks
Protect Againts cross-site request forgery (XSRF) attacks
Protect againts SQL Injection Attacks
Define cross-origin resource sharing (CORS) policies
Open redirect attacks and URL manipulation
Encyrption basics
Data protection API Orverview
Use configuration builder and environment
Safe storage of application secrets during development
Protect client and server communication using SSL