Institute of Information Technology (IIT) University of Dhaka Dhaka – 1000, Bangladesh
Hands on Training on Fundamental Web and Application Security Issues for NREN Professionals
1Introduction
Recent experiences of National Research and Education Network (NREN) in other countries have shown that workshops for security awareness, security practices and security frameworks have played an important role for achieving high quality security of NRENs. Case studies of India, Bhutan, Maldives and Sri Lanka have shown significant improvement of quality in security practices after arranging workshops and obtaining security ideas from the discussions during workshops. Taking from that experience, this is a project that will train human resources of nine (9) NRENs [Afghanistan (AF), Bangladesh (BD), Bhutan (BT), Cambodia (KH), Laos (LA), Myanmar (MM), Nepal (NP), Sri Lanka (LK), and Vietnam (VT)] and its connected organizations focusing on the web and application security aspects of the organization’s Information Technology initiative. The implementing organization of this workshop is Institute of Information Technology (IIT), University of Dhaka, Dhaka, Bangladesh in collaboration with Patuakhali Science and Technology University (PSTU), Patuakhali, Bangladesh.
Considering the current COVID- 19 situation at Bangladesh and South-East Asia region, the workshop will be executed online. Participant will join a Learning Management System (LMS) solely developed for this workshop. The LMS will provide access to all the resources. The instructors (security professionals working in academia and industry from home and abroad) will facilitate each workshop session from a physical computer lab. Online meeting platform ZOOM will be used for interaction between the trainee and the trainer.
Objective
The specific objective of this workshop is as follows.
§ To evaluate and analyze the issues involved in establishing and maintaining security for web solutions and software applications operating in NREN and its connected organizations.
§ To disseminate the domain-specific security knowledge and technologies among the target participants [32 participants from eight (8) different NRENs such as Afghanistan, Bhutan, Cambodia, Laos, Myanmar, Nepal, Sri Lanka, Vietnam and 60 from BdREN], building stronger subject matter expert communities in NRENs
§ To increase capabilities of NRENs to participate in the development and hence, increase its visibility to the world
§ To support building secured and resilient information system solution needed for citizens, business, society and government.
§ To promote women empowerment in Bangladesh and South-East Asia region by dedicating one full session (among three training sessions) for the women in the target audience (36 female [16 of overseas]) professionals connected to NRENs)
1 This workshop has received funding from Asi@Connect project which is the European Union co-funding project under Grant contract ACA 2016-376-562.
Institute of Information Technology (IIT) University of Dhaka Dhaka – 1000, Bangladesh
In recent past, workshops on cyber security and network security have been organized in Patuakhali Science and Technology University (PSTU), Bangladesh and Dhaka University, Bangladesh. And so, people around this region (Bangladesh and countries in South-East Asia) are aware of the security vulnerability of using Information Technology services and its impact on the organization. However, there was no specialized discussion on web and application security in which most of us are exposed of.
Therefore, concentration on that unfold domain of Information security is another major objective of the proposed workshop.
Details of Activities
Web security is a critical part in protecting an organization’s data, assets and resources that are accessed through web (and therefore connected to Internet). This workshop will focus on the fundamental aspects of web security. It will discuss key concepts, protocols and the policies involved in establishing and maintaining security for web solutions and software applications along with the well-known vulnerabilities exists in this domain of Information Technology.
Study of software application to identify the vulnerabilities is also an important criterion of this workshop.
Additionally, identification of the strength and weaknesses of web solutions and used applications in terms of security will be conducted through this workshop.
This workshop will further examine well-known tools to identify the vulnerability of web solutions and software applications, as well as take a closer look at tips to mitigate them.
The workshop is designed for the Information Technology (IT) project managers, IT solution architects, maintenance engineers, network engineers, young academicians and security professionals from nine (9) NRENs including BdREN and Universities connected to NRENs.
Security experts from both Bangladesh and abroad will be invited and their presence will trigger discussions on the latest technology trends on web and application security for a large and dynamic organization like NREN. Members from all connected universities will be invited which will ensure proper coverage and sharing of the learning of this workshop to all stakeholders. At the same time, participation of all the connected organizations will ensure effective coverage of the event. Invitation and participation of internationally renowned security experts will assure that this workshop obtains visibility at the international stage as well.
Schedule of the Workshop
The workshop will be arranged for three batches (each for 5 days) where one batch will be dedicated for the women in the target audience to promote women empowerment in this region (Bangladesh and South- East Asia).
The training will be conducted as per following schedule [since each workshop topic required to be delivered to 3 different batches, three different dates are mentioned in the date column for a single lecture session].
Institute of Information Technology (IIT) University of Dhaka Dhaka – 1000, Bangladesh
Date Time Topic
Day 1
09:45-10:00 Participants will join the online platform of the training 10:00-10:45 Inauguration ceremony
10:45-11:00 Tea break Day 1
(June 15, 20, and 26)
11:00-12:30 An overview of cyber and web application security: CIA triad, risk, threat, vulnerability, recent attack and attack trends 12:30-14:00 Lunch and prayer break
14:00-15:30
Web application vulnerability: The Open Web Application Security Project (OWASP) top 10 vulnerabilities Introduction to Security Risk Management: Threat analysis, attacker modelling and relevant activities
15:30-16:00 Tea break
16:00-17:00 Closer look at authentication mechanisms, session vulnerability and testing, broken authentication, and broken access control
Day 2 Day 2
(June 16, 21, and 27)
9:30-10:30 Introduction to Security Risk Management: Threat analysis, attacker modelling and relevant activities
10:30-11:00 Tea break
11:00-12:30 TLS and its well-known vulnerabilities: Tools to detect TLS vulnerabilities
12:30-14:00 Lunch and prayer break
14:00-15:30 Closer look at cross site scripting (XSS), cross site request forgery (CSRF)
15:30-16:00 Tea break
16:00-17:00 Closer look at SQL injection Day 3
Day 3 (June 17, 22,
and 28)
9:30-10:30 Nmap Security Scanning - 1 10:30-11:00 Tea break
11:00-12:30 Nmap Security Scanning - 2 12:30-14:00 Lunch and prayer break
14:00-15:30 Offline application security testing: Static analysis tools for security testing
15:30-16:00 Tea break
16:00-17:00 Use of threat intelligence tools: VirusTotal, and ThreatMiner
Institute of Information Technology (IIT) University of Dhaka Dhaka – 1000, Bangladesh
Date Time Topic
Day 4 Day 4
(June 18, 23, and 29)
9:30-10:30
Web Security Testing Guide: Penetration testing execution standards, OWSAP open source security testing methodology, Common Vulnerability Scoring System (CVSS), and National Vulnerability Database
10:30-11:00 Tea break
11:00-12:30 Online application security testing: Dynamic analysis tool OWSAP ZAP
12:30-14:00 Lunch and prayer break
14:00-15:30 Single-sign-on solution and security 15:30-16:00 Tea break
16:00-18:00 Open Topic (will be selected later) Day 5
Day 5 (June 19, 24,
and 30)
9:30-11:00 Web environment configuration security and incident handling 11:00-11:30 Tea break
11:30-12:30
Web Application Security Control: Zero trust architecture, defense in depth, security awareness initiatives, generic guideline for ensuring security
12:30-14:00 Lunch and prayer break 14:00-15:00 Evaluation and Feedback
15:00-16:00 Certificate distribution and closing ceremony 16:00-16:30 Tea break
This brochure has been produced with co-funding of the European Union for the Asi@Connect Project under Grant contract ACA 2016-376-562. The contents of this documents are the sole responsibility of Institute of Information Technology (IIT), university of Dhaka and can under no circumstances be regarded as reflecting the position of the European Union.
