Introduction to Web Application Security – A Technical Overview Seminar

Understanding Web Application Security

TT8020

Introductory

1 Day

Course Overview

Understanding Web Application Security is an essential application security training course for technical leads, project managers, testing/QA personnel and other stakeholders who need to understand the issues and concepts associated with secure web applications. During this one day dynamic seminar, students learn the best practices for designing, implementing, and deploying secure web applications. Perhaps just as significantly, students learn about current, real examples that illustrate the potential consequences of not following these best practices.

A key component to our Best Defense Security Training Series, this workshop is a companion course with several developer-oriented courses and seminars.   Although this edition of the course is language-agnostic, it may also be presented using Java, .Net or other programming languages or environments.

Course Objectives

Security experts agree that the least effective approach to security is "penetrate and patch". It is far more effective to "bake" security into an application throughout its lifecycle. This course builds on the mechanics for building defenses by exploring how design, analysis, testing, and QA can be used to build stronger applications from the beginning of the software lifecycle.

Students who attend Understanding Web Application Security will leave this course armed with an understanding of software vulnerabilities, defenses for those vulnerabilities, and testing those defenses for sufficiency. This course quickly introduces the most common security vulnerabilities faced by web applications today. Each vulnerability is examined through a process of describing the threat and attack mechanisms, the associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses. In many cases, there are demonstrations that reinforce these concepts with real vulnerabilities, attacks, and defenses.

Working in an interactive learning environment, attendees will learn to:

  • Understand the concepts and terminology behind defensive, secure, coding
  • Appreciate the magnitude of the problems associated with web application security and the potential risks associated with those problems
  • Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Understand the vulnerabilities of associated with authentication and authorization
  • Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
  • Relate to the potential vulnerabilities and defenses for the processing of XML in web services and Ajax

The course provides a solid foundation in basic terminology and concepts, extended and built upon throughout the engagement. Students will examine various recognized attacks against web applications. Processes and best practices are discussed and illustrated through both discussions and group activities. Attending students will be led through a series of advanced topics comprised of integrated lectures, group discussions and comprehensive demonstrations.

Course Prerequisites

This is course designed for web application project stakeholders who wish to get up and running on developing well defended web applications. Attendees should have a minimum of 2 years working knowledge in the IT industry, and ideally, students should have a basic understanding of web applications and the associated technologies. Actual development working knowledge is helpful but not necessary.

Course Agenda

Introduction: Misconceptions

  • Security: The Complete Picture
  • Seven Deadly Assumptions
  • Anthem, Sony, Target, Heartland, and TJX Debriefs
  • Causes of Data Breaches
  • Meaning of Being Compliant
  • Verizon’s 2015 Data Breach Report
  • 2015 PCI Compliance Report

Session: Security Concepts

  • Motivations: Costs and Standards
  • Open Web Application Security Project
  • Web Application Security Consortium
  • CERT Secure Coding Standards
  • Assets are the Targets
  • Security Activities Cost Resources
  • Threat Modeling
  • System/Trust Boundaries

 Session: Principles of Information Security

  • Security Is a Lifecycle Issue
  • Minimize Attack Surface Area
  • Layers of Defense: Tenacious D
  • Compartmentalize
  • Consider All Application States
  • Do NOT Trust the Untrusted

Session: Vulnerabilities

  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication
  • Cross Site Scripting (XSS)
  • Injection
  • Error Handling and Information Leakage
  • Insecure Data Handling
  • Insecure Configuration Management
  • Direct Object Access
  • Spoofing and Redirects

Session: Understanding What’s Important

  • Common Vulnerabilities and Exposures
  • OWASP Top Ten for 2013
  • CWE/SANS Top 25 Most Dangerous SW Errors
  • Monster Mitigations
  • Strength Training: Project Teams/Developers
  • Strength Training: IT Organizations

Session: Defending XML, Services, and Rich Interfaces

  • Safe XML Processing
  • Web Service Security Exposures
  • WS-Security Roadmap
  • XWSS Provides Many Functions
  • Three Basic Tenets for Safe Rich Interfaces
  • OWASP REST Security Recommendations

Session: Secure Software Development (SDL)

  • SDL Process Overview
  • Applying Processes and Practices
  • Threat Modelling

Session: Security Testing

  • Testing Principles
  • Reviews as Form of Testing
  • Testing
  • Tools
  • Testing Practices

Course Materials

NA

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Summer Savings!
Register today to receive *50% off all 2021 Public Classes*!  Check out our Current Offers for Individuals, Teams and Organizations to Learn for Less!

See our latest Offers and Promotions

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course
Trivera MiniCamps
Gain the skills you need with less time in the classroom with our short course, live-online hands-on events
Trivera QuickSkills: Free Courses and Webinars
Training on us! Keep your skills current with free live events, courses & webinars
Trivera AfterCourse: Coaching and Support
Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More