Introduction to Web Application Security – A Technical Overview Seminar

Course Objectives

Security experts agree that the least effective approach to security is "penetrate and patch". It is far more effective to "bake" security into an application throughout its lifecycle. This course builds on the mechanics for building defenses by exploring how design, analysis, testing, and QA can be used to build stronger applications from the beginning of the software lifecycle.

Students who attend Understanding Web Application Security will leave this course armed with an understanding of software vulnerabilities, defenses for those vulnerabilities, and testing those defenses for sufficiency. This course quickly introduces the most common security vulnerabilities faced by web applications today. Each vulnerability is examined through a process of describing the threat and attack mechanisms, the associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses. In many cases, there are demonstrations that reinforce these concepts with real vulnerabilities, attacks, and defenses.

Working in an interactive learning environment, attendees will learn to:

• Understand the concepts and terminology behind defensive, secure, coding
• Appreciate the magnitude of the problems associated with web application security and the potential risks associated with those problems
• Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
• Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
• Understand the vulnerabilities of associated with authentication and authorization
• Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
• Relate to the potential vulnerabilities and defenses for the processing of XML in web services and Ajax

The course provides a solid foundation in basic terminology and concepts, extended and built upon throughout the engagement. Students will examine various recognized attacks against web applications. Processes and best practices are discussed and illustrated through both discussions and group activities. Attending students will be led through a series of advanced topics comprised of integrated lectures, group discussions and comprehensive demonstrations.

Course Prerequisites

This is course designed for web application project stakeholders who wish to get up and running on developing well defended web applications. Attendees should have a minimum of 2 years working knowledge in the IT industry, and ideally, students should have a basic understanding of web applications and the associated technologies. Actual development working knowledge is helpful but not necessary.

Course Agenda

Introduction: Misconceptions

• Security: The Complete Picture
• Seven Deadly Assumptions
• Anthem, Sony, Target, Heartland, and TJX Debriefs
• Causes of Data Breaches
• Meaning of Being Compliant
• Verizon’s 2015 Data Breach Report
• 2015 PCI Compliance Report

Session: Security Concepts

• Motivations: Costs and Standards
• Open Web Application Security Project
• Web Application Security Consortium
• CERT Secure Coding Standards
• Assets are the Targets
• Security Activities Cost Resources
• Threat Modeling
• System/Trust Boundaries

 Session: Principles of Information Security

• Security Is a Lifecycle Issue
• Minimize Attack Surface Area
• Layers of Defense: Tenacious D
• Compartmentalize
• Consider All Application States
• Do NOT Trust the Untrusted

Session: Vulnerabilities

• Unvalidated Input
• Broken Access Control
• Broken Authentication
• Cross Site Scripting (XSS)
• Injection
• Error Handling and Information Leakage
• Insecure Data Handling
• Insecure Configuration Management
• Direct Object Access
• Spoofing and Redirects

Session: Understanding What’s Important

• Common Vulnerabilities and Exposures
• OWASP Top Ten for 2013
• CWE/SANS Top 25 Most Dangerous SW Errors
• Monster Mitigations
• Strength Training: Project Teams/Developers
• Strength Training: IT Organizations

Session: Defending XML, Services, and Rich Interfaces

• Safe XML Processing
• Web Service Security Exposures
• WS-Security Roadmap
• XWSS Provides Many Functions
• Three Basic Tenets for Safe Rich Interfaces
• OWASP REST Security Recommendations

Session: Secure Software Development (SDL)

• SDL Process Overview
• Applying Processes and Practices
• Threat Modelling

Session: Security Testing

• Testing Principles
• Reviews as Form of Testing
• Testing
• Tools
• Testing Practices

Course Materials

NA