Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

AI-generated code | Harness the power of AI coding assistants while managing the risks
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Consolidation | Simplify your application security program
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source License Compliance | Effective solutions for ensuring open source license compliance
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

Node.js Security

Course Description

The benefits of the NodeJS platform keep growing, but it can still suffer from the same common web vulnerabilities as other web application frameworks and platforms. This course looks at solutions to common security pitfalls associated with using ExpressJS, Pug, and MongoDB. We'll also examine preventive measures for building a more secure application using a defense-in-depth approach.

Learning Objectives

Use bcrypt for password storage
Avoid common access control mistakes
Use HTTP headers for additional transport and session security
Audit third-party dependencies for known vulnerabilities

Details

Delivery Format: eLearning

Duration: 1 Hour

Level: Intermediate

Intended Audience

Architects
Back-End Developers
Front-End Developers

Prerequisites

Course Outline

Validating Data in ExpressJS

Validating Data Overview
What is Untrusted Data?
Where to Validate Data
Validating Data at the Request Layer
Validating Data at the Model Layer

Handling Authentication in NodeJS Applications

Protecting Passwords
Protecting Against User Enumeration
Locking User Accounts

Access Control in NodeJS

Principle of Least Privilege and Roles
Function-Level Access Controls
Access Control Mistakes

Session Management in ExpressJS

Session Hijacking
Enabling HttpOnly Flag
Enabling the Secure Flag
Session Timeouts
Session Fixation
Forcing Re-authentication

NodeJS Transport Security

TLS, SSL, and HTTPS
Importance of TLS
HTTP Strict Transport Security Header
Content Security Policy

Pug Security Concern

Cross-Site Scripting
Common Used Templating Systems
Server-Side Template Injection

Preventing MongoDB Query Selector Injection Attacks

Injecting JavaScript
Injecting Operators

Managing Third-Party Dependencies

Unused Packages
Package Popularity
Check for Outdated Packages
Check for Known Vulnerabilities

Run a Private Repository

OAuth 2.0 Security v3.0

The Need for OAuth 2.0

An Example OAuth 2.0 Scenario
The Valet Key Analogy
Valet Keys in Our Application

Delegated Access with OAuth 2.0

A Brief History of OAuth 2.0
OAuth 2.0 Terminology
Conceptual Overview of OAuth 2.0
OAuth 2.0 Clients

Overview of OAuth 2.0 Grant Types

Overview of Different Grant Types and Their Purposes
Authorization Code Grant
Device Authorization Grant
Client Credentials Grant
Implicit Grant
Resource Owner Password Credentials Grant

Delegated Access from a Confidential Client

A Confidential Client Scenario
Delegated Access with the Authorization Code Flow
Security Properties of the Authorization Code Flow

Delegated Access from a Public Client

A Public Client Scenario
Augmenting the Authorization Code Grant with PKCE
Mobile and Native Clients
Frontend Web Clients
Security Properties of the Authorization Code Flow with PKCE

Long-Term Delegated Access

The Purpose of Access Tokens
Running a New Flow
Using Refresh Tokens
Securing Refresh Tokens

Common Pitfalls and Misconceptions

Mistaking OAuth 2.0 for What It Is Not
Abusing OAuth 2.0 for Authentication
Modifying OAuth 2.0 Flows

Wrapping up OAuth 2.0

The Core Concepts of OAuth 2.0
High-Level Security Considerations

Print to PDF

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster

Learn more about developer security training