Do you have any idea how many files you send to the user are modified in transit? How much sensitive information is up for grabs to an eavesdropper? Or whether there is an attacker sitting in the middle, with the ability to carry out a dangerous SSL Stripping attack?
In the past few years, a secure communication channel has become more important than ever, and browsers are actively pushing developers towards using HTTPS. Therefore, simply deploying sensitive parts of your application over HTTPS is no longer sufficient. You need to move all of your content to HTTPS, and deploy additional security policies to establish a secure end-to-end communication channel.
In this session, participants will learn through hands-on experience why a partial HTTPS deployment can easily be undermined by easy-to-execute network attacks. We will cover common (non-cryptographic) attacks on HTTPS applications, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP). You will walk away with an up-to-date list of best practices for deploying your applications over HTTPS.
Attendees are required to bring a laptop with VirtualBox installed. If you have restricted access to the BIOS settings, please make sure Virtualization is enabled up front.
The training image is available for download at the following URL:
https://people.cs.kuleuven.be/philippe.deryck/training/secappdev2017.ova