Electron Security Workshop
03 Jul 2019 - Posted by Mateusz Swidniak2-Days Training on How to Build Secure Electron Applications
We are excited to present our brand-new class on Electron Security! This blog post provides a general overview of the 2-days workshop.
With the increasing popularity of the ElectronJs Framework, we decided to create a class that teaches students how to build and maintain secure desktop applications that are resilient to attacks and common classes of vulnerabilities. Building secure Electron applications is possible, but complicated. You need to know the framework, follow its evolution, and constantly update and devise in depth defense mechanisms to mitigate its deficiencies.
Our training begins with an overview of Electron internals and the life cycle of a typical Electron-based application. After a quick intro, we will jump straight into threat modeling and attack surface. We will analyze what are the common root causes for misconfigurations and vulnerabilities. The class will be centered around two main topics: subverting the framework and breaking the custom application code. We will present security misconfigurations, security anti-patterns, nodeIntegration and sandbox bypasses, insecure preload bugs, prototype pollution attacks, affinity abuses and much more.
The class is hands-on with many live examples. The exercises and scenarios will help students understand how to identify vulnerabilities and build mitigations. Throughout the class, we will also have a few Q&A panels to answer all questions attendees might have and potentially review their code.
If you’re interested, check out this short teaser:
Audience Profile
Who should take this course?
- JavaScript and Node.js Developers
- Security Engineers
- Security Auditors and Pentesters
We will provide details on how to find and fix security vulnerabilities, which makes this class suitable for both blue and red teams. Basic JavaScript development experience and basic understanding of web application security (e.g. XSS) is required.
General Information
Attendees will receive a bundle with all material, including:
- Workshop presentation (over 200 slides)
- Code, exploits and artifacts of all exercises
- Certificate of completion
This 2-days training is delivered in English, either remotely or on-site (worldwide).
Doyensec will accept up to 15 attendees per tutor. If the number of attendees exceeds the maximum allowed, Doyensec will allocate additional tutors.
We’re a flexible security boutique and can further customize the agenda to your specific company’s needs.
Feel free to contact us at info@doyensec.com for scheduling your class!