This course will teach you the basics of serialization and deserialization, including serialization file formats, what insecure deserialization is, and how to prevent that type of vulnerability from occurring in your code.
As a developer, it is important to be familiar with common vulnerabilities that are often encountered in web application. Insecure deserialization is one of those vulnerabilities, ranking 8th in the OWASP Top 10 2017. In this course, Secure Coding: Preventing Insecure Deserialization, you will learn how to properly defend yourself against that particular vulnerability First, you will learn about the basics of serialization and deserialization, and about the various serialization file formats. Next, you will discover what insecure deserialization actually is, and how it can be exploited: In order to fix the problem, you need to know what can go wrong. Finally you will explore how to properly prevent insecure deserialization in any development language or framework. By the end of this course, you will have the secure coding skills and knowledge needed to prevent insecure deserialization vulnerabilities from creeping into your application.
Peter started out in the nineties as software engineer working on internet banking applications for various European financial institutions. Since 2004, he started specializing in pentesting complex and feature-rich web applications. Currently, he leads a global team of highly skilled and enthusiastic penetration testers as lead pentester.
Course Overview Hi everyone. My name is Peter Mosmans, and welcome to my course: Secure Coding: Preventing Insecure Deserialization. I'm a lead penetration tester, working for multiple companies around the globe. New in the OS top 10 of 2017, at number 8: insecure deserialization. Apparently it's deemed quite a critical risk for web applications. But what is insecure deserialization, and how can you mitigate the risks? In this course, we're going to take a look at the serialization and deserialization process. We're going to try to exploit some vulnerabilities, and we're going to see effective, secure solutions. Some of the major topics that we'll cover include: what serialization and deserialization is. The various serialization file formats. Insecure patterns that offer little to no protection, and how to securely implement and apply the serialization. By the end of this course, you'll know all about which mitigation strategies work and won't work, and why. Before beginning the course, you should be somewhat familiar with software development. The course itself is for anyone wanting to know what insecure deserialization is, and how to prevent those vulnerabilities from creeping into your code. I hope you'll join me on this journey to learn more about secure coding, with the Insecure Deserialization course, here at Pluralsight.
Insecure Patterns for Deserialization So far, we've seen what serialization and deserialization is. We also saw how insecure deserialization can be exploited and what it is. But you probably watched this course to know how to protect yourself from this, how to protect yourself from insecure deserialization vulnerabilities. This module deals with insecure patterns for deserialization. In other words, patterns that look as if they protect the application, but in practice, don't offer the application complete protection, or in some cases, don't offer any protection at all. So the patterns that you see in this module will not completely protect you, and therefore, do not solely rely on them to offer you full protection against deserialization vulnerabilities. The reason I'm showing you this is because these are very popular patterns. Some patterns might mitigate a bit, but be aware of their shortcomings and pitfalls. That's what this whole module is about. We will discuss the following patterns. Error and exception handling, enforcing correct deserialization type of the deserialized object, and the most widely encountered pattern, using a generic serialization format. Let's start with common sense in the first one, and add error and exception handling to our code in the next demo.