TT8020: Understanding Web Application Security: A Technical Overview

Contact PI


  • Virtual Classroom

  • Onsite
Duration: 1 Day

This course is essential application security training for technical leads, project managers, testing/QA personnel, and other stakeholders who need to understand the issues and concepts associated with secure web applications. You will learn the best practices for designing, implementing, and deploying secure web applications. You will cover current, real examples that illustrate the potential consequences of not following these best practices.

You will leave this course armed with an understanding of software vulnerabilities, defenses for those vulnerabilities, and testing those defenses for sufficiency. You will be introduced to the most common security vulnerabilities faced by web applications today. Each vulnerability is examined through a process of describing the threat and attack mechanisms, the associated vulnerabilities, and designing, implementing, and testing effective defenses.

What You Will Learn

 

  • Concepts and terminology behind defensive, secure coding
  • Magnitude of the problems associated with web application security and the potential risks associated with those problems
  • Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Consequences for not properly handling untrusted data (denial of service, cross-site scripting, and injections)
  • Vulnerabilities of associated with authentication and authorization
  • Techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
  • Relate to the potential vulnerabilities and defenses for the processing of XML in web services and Ajax

Audience

 

Web application project stakeholders who wish to develop well defended web applications

Prerequistes

 

  • Minimum of two years working knowledge in IT
  • Basic understanding of web applications and the associated technologies
  • Actual development working knowledge is helpful but not required

Course Outline

 

1. Foundation

  • Misconceptions
  • Security Concepts
  • Defensive Coding Principles
  • Reality

2. Top Security Vulnerabilities

  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS/CSRF) Flaws
  • Injection Flaws
  • Error Handling and Information Leakage
  • Insecure Storage
  • Insecure Management of Configuration
  • Direct Object Access
  • Spoofing and Redirects

3. Defending XML Processing

  • Defending XML
  • Defending Web Services
  • Defending Ajax

4. What's Important

  • Prioritizing Your Efforts
  • Common Vulnerabilities and Exposures for 2011
  • OWASP Top Ten for 2010
  • CWE/SANS Top 25 Programming Errors
  • Monster Mitigations

5. Secure Software Development (SSD)

  • SSD Process
  • Applying Processes and Practices
  • Risk Analysis

6. Security Testing

  • Testing Principles
  • Reviews as Form of Testing
  • Testing
  • Tools
  • Testing Practices

Course Labs