Practical video course of the School of Information Security

It makes no sense to remind once again why it is important to pay attention to security when developing services. Let's talk about how to build protection systems, keep them up to date and develop with an increase in the number of threats. Quite a lot of practical knowledge on this topic can be obtained from the Internet. The theory, in turn, is well covered in several Russian universities. There are many useful literature. But a good security professional is distinguished not only by the knowledge of tools and theories, but by the ability to apply theory in real situations.

In April of this year, for the first time, we conducted a free Information Security School. Lectures at the school were prepared and read by the information security officers of Yandex, those specialists who are directly responsible for protecting our products. We received more than 700 applications, 35 people successfully completed school, 9 of them received offers at Yandex (7 for an intern position, 2 for a full-time position).

Today we publish a video course with all the lectures of the School. You can learn the same knowledge as the students - unless the interactive is smaller and you don’t have to do your homework. To view it is worth knowing at least one programming language (JS, Python, C ++, Java), at the initial level to understand the principles of building and operating web applications, to understand the principles of operating systems and network infrastructure, as well as the main types of attacks and types of vulnerabilities.


We hope this course will pump you in the role of an information security specialist, and will also help protect your services from data leaks and malicious attacks.

001. Web Application Security - Eldar Zaitov

Let's tell about the device of a modern web - microservice architecture, technological, architectural vulnerabilities and how to prevent them. Let's analyze client side vulnerabilities. Let's talk about the methods of operation.

002. Mobile application security - Yaroslav Buchnev

Let's talk about typical vulnerabilities in mobile applications and how to prevent them on iOS and Android.

003. Network Security - Boris Lytokin

- The power of DDoS attacks exceeded 1Tbit / s: who is to blame and what to do?
- Security in IPv6: Is it possible to prevent arp spoofing using IPv6?
- Is WiFi safe? Come in, openly or retrospective of security development in WiFi from the first standard to 2018.

004. Security OS - Igor Gots

Let us tell you about the classic UNIX security model and the Posix ACL extensions, the syslog and journald journaling systems. Let's discuss the mandatory access models (SELinux, AppArmor), the device netfilter and iptables, as well as procfs, sysctl and hardening OS. Let's talk about the device of the stack frame and vulnerabilities associated with buffer overflow on the stack, the mechanisms of protection against such attacks: ASLR, NX-Bit, DEP.

005. Safety of binary applications - Andrey Kovalev

Let's talk about the security of compiled applications. In particular, consider the vulnerabilities associated with memory corruption (out of bound, use after free, type confusion), as well as compensatory technical measures that are used in modern compilers to reduce the likelihood of their exploitation.

006. Investigation of incidents. Forensic - Anton Konvalyuk

Let's talk about the approaches to the detection and investigation of incidents and the main problems encountered. Also consider some tools that help to investigate incidents, and try them in practice.

007. Virtualization and Containerization - Anton Konvalyuk

To increase server efficiency, we use containers in Yandex. In this lecture on security, we will look at the main technologies that provide virtualization and containerization. We will focus on containerization as the most popular way to deploy applications. Let's talk about capabilities, namespaces, cgroups, and other technologies; let's see how this works in modern Linux systems using the example of Ubuntu.

008. Cryptography - Evgeny Sidorov

Security engineers at Yandex use knowledge about cryptography every day. Let us tell you about how they do it, about PKI, its shortcomings and TLS of different versions. Consider TLS attacks and protocol acceleration methods. We will discuss the technology Certificate Transparency, the Roughtime protocol, the bugs in the implementation of algorithms and protocols, as well as the hidden drawbacks of various frameworks.