Secure Web Applications Overview (Language Neutral Edition) | Explore OWASP Top Ten, Web Services, Rich Interfaces & More

Course Objectives

Students who attend Secure Web Application Development will gain an understanding of how to recognize actual and potential software vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency. This course introduces most common security vulnerabilities faced by web applications today. Each vulnerability is examined from a coding perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses. 

Guided by our application security expert, attendees will explore how to:

• Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
• Identify defect/bug reporting mechanisms within their organizations
• Setup and use various tools and techniques to determine a web application’s operational environment
• Setup and use various tools and techniques to enumerate all aspects of a web application
• Setup and use various tools and techniques to scan a web application for vulnerabilities
• Work with specific tools for targeted vulnerabilities
• Avoid common mistakes that are made in bug hunting and vulnerability testing
• Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
• Develop an appreciation for the need and value of a multilayered defense in depth
• Understand potential sources for untrusted data
• Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
• To test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
• Prevent and defend the many potential vulnerabilities associated with untrusted data
• Understand the vulnerabilities of associated with authentication and authorization
• Detect, attack, and implement defenses for authentication and authorization functionality and services
• Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
• Detect, attack, and implement defenses against XSS and Injection attacks
• Understand the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or  mitigate those risks
• Learn the strengths, limitations, and use for tools such as code scanners, dynamic scanners, and web application firewalls (WAFs)
• Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

Need different skills or topics?  If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate.  We offer additional programming, secure coding, secure software development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This is an introductory-level course designed for technical application project stakeholders who wish to get up and running on developing well defended web applications.  Real-world programming experience is highly recommended for code reviews.

Take After: We offer a variety of introductory through advanced security, development, project management, engineering, architecture and design courses that serve as an excellent follow on to this course.  Please inquire for details.

• Java, Node.js, C++ or .Net oriented Web Application Security hands-on training
• Refresher training for updated skills or to fulfill PCI compliant requirements

Please see the Related Courses tab for specific Pre-Requisite courses, Related Courses that offer similar skills or topics, and next-step Learning Path recommendations.

Course Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most.

Introduction: Misconceptions

• Security: The Complete Picture
• Seven Deadly Assumptions
• Anthem, Sony, Target, Heartland, and TJX Debriefs
• Causes of Data Breaches
• Meaning of Being Compliant
• Verizon’s 2015 Data Breach Report
• 2015 PCI Compliance Report

 Session: Foundation

 Lesson: Security Concepts

• Motivations: Costs and Standards
• Open Web Application Security Project
• Web Application Security Consortium
• CERT Secure Coding Standards
• Assets are the Targets
• Security Activities Cost Resources
• Threat Modeling
• System/Trust Boundaries

Lesson: Principles of Information Security

• Security Is a Lifecycle Issue
• Minimize Attack Surface Area
• Layers of Defense: Tenacious D
• Compartmentalize
• Consider All Application States
• Do NOT Trust the Untrusted

Session: Vulnerabilities

 Lesson: Unvalidated Input

• Buffer Overflows
• Integer Arithmetic Vulnerabilities
• Unvalidated Input: From the Web
• Defending Trust Boundaries
• Whitelisting vs Blacklisting

 Lesson: Overview of Regular Expressions

• Regular Expressions
• Working With Regexes in Java
• Applying Regular Expressions

Lesson: Broken Access Control

• Access Control Issues
• Excessive Privileges
• Insufficient Flow Control
• Unprotected URL/Resource Access
• Examples of Shabby Access Control
• Session and Session Management

 Lesson: Broken Authentication

• Broken Quality/DoS
• Authentication Data
• Username/Password Protection
• Exploits Magnify Importance
• Handling Passwords on Server Side
• Single Sign-on (SSO)

 Lesson: Cross Site Scripting (XSS)

• Persistent XSS
• Reflective XSS
• Best Practices for Untrusted Data

Lesson: Injection

• Injection Flaws
• SQL Injection Attacks Evolve
• Drill Down on Stored Procedures
• Other Forms of Injection
• Minimizing Injection Flaws

Lesson: Error Handling and Information Leakage

• Fingerprinting a Web Site
• Error-Handling Issues
• Logging In Support of Forensics
• Solving DLP Challenges

 Lesson: Insecure Data Handling

• Protecting Data Can Mitigate Impact
• In-Memory Data Handling
• Secure Pipes
• Failures in the SSL Framework Are Appearing

 Lesson: Insecure Configuration Management

• System Hardening: IA Mitigation
• Application Whitelisting
• Least Privileges
• Anti-Exploitation
• Secure Baseline

Lesson: Direct Object Access

• Dynamic Loading
• Direct Object References

Lesson: Spoofing and Redirects

• Name Resolution Vulnerabilities
• Fake Certs and Mobile Apps
• Targeted Spoofing Attacks
• Cross Site Request Forgeries (CSRF)
• CSRF Defenses are Entirely Server-Side
• Safe Redirects and Forwards

Lesson: Understanding What’s Important

• Common Vulnerabilities and Exposures
• OWASP Top Ten for 2013
• CWE/SANS Top 25 Most Dangerous SW Errors
• Monster Mitigations
• Strength Training: Project Teams/Developers
• Strength Training: IT Organizations

Session: Defending XML, Services, and Rich Interfaces

Lesson: Defending XML

• XML Signature
• XML Encryption
• XML Attacks: Structure
• XML Attacks: Injection
• Safe XML Processing

Lesson: Defending Web Services

• Web Service Security Exposures
• When Transport-Level Alone is NOT Enough
• Message-Level Security
• WS-Security Roadmap
• XWSS Provides Many Functions
• Web Service Attacks
• Web Service Appliance/Gateways

Lesson: Defending Rich Interfaces and REST

• How Attackers See Rich Interfaces
• Attack Surface Changes When Moving to Rich Interfaces
• Bridging and its Potential Problems
• Three Basic Tenets for Safe Rich Interfaces
• OWASP REST Security Recommendations

Session: Secure Development Lifecycle (SDL)

Lesson: SDL Process Overview

• Software Security Axioms
• Security Lifecycle – Phases

Lesson: Applying Processes and Practices

• Awareness
• Application Assessments
• Security Requirements
• Secure Development Practices
• Security Architecture/Design Review
• Security Code Review
• Configuration Management and Deployment
• Vulnerability Remediation Procedures

Lesson: Risk Analysis

• Threat Modeling Process
• 1. Identify Security Objectives
• 2. Describe the System
• 3. List Assets
• 4. Define System/Trust Boundaries
• 5. List and Rank Threats
• 6. List Defenses and Countermeasures

Session: Security Testing

Lesson: Testing Tools and Processes

• Security Testing Principles
• Black Box Analyzers
• Static Code Analyzers
• Criteria for Selecting Static Analyzers

Lesson: Testing Practices

• OWASP Web App Penetration Testing
• Authentication Testing
• Session Management Testing
• Data Validation Testing
• Denial of Service Testing
• Web Services Testing
• Ajax Testing

Course Materials

Each student will receive a Student Guide with course notes, code samples, software tutorials, step-by-step written lab instructions, diagrams and related reference materials and links (as applicable). Students will also receive the project files (or code, if applicable) and solutions required for the hands-on work.

Hands-on Setup Made Simple! Our dedicated tech team will work with you to ensure your student machines and learning environment is setup, tested and ready to go well in advance of the course delivery date, ensuring a smooth start to class and seamless hands-on experience for your students. We offer several flexible student machine setup options including guided manual set up for simple installation directly on student machines, or cloud based / remote hosted lab solutions where students can log in to a complete separate lab environment minus any installations, or we can supply complete turn-key, pre-loaded equipment to bring ready-to-go student machines to your students or in-person facility.  Please inquire for details.