TT8120: Secure Web Application Development Seminar

Contact PI


  • Virtual Classroom

  • Onsite
Duration: 2 Days

In this course, you will explore sound processes and practices to apply to the entire software development lifecycle. You will learn current, real examples that illustrate the potential consequences of not following these best practices. This course is taught in a language-neutral fashion, with demonstrations from several languages to illustrate patterns and techniques.

You will gain the skills required to recognize actual and potential software vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency. You will be introduced to the most common security vulnerabilities faced by web applications today. Each vulnerability will be examined from a coding perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and designing, implementing, and testing effective defenses. Labs will reinforce these concepts and you will have the opportunity to design and implement the layered defenses you will need to defend your own applications.

What You Will Learn

 

  • Potential sources for untrusted data
  • Consequences for not properly handling untrusted data (denial of service, cross-site scripting, and injections)
  • Test web applications with various attack techniques to determine the existence and effectiveness of layered defenses
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Vulnerabilities associated with authentication and authorization
  • Detect, attack, and implement defenses for authentication and authorization functionality and services
  • Dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Detect, attack, and implement defenses against XSS and Injection attacks
  • Concepts and terminology behind defensive, secure, and coding
  • Threat Modeling tool to identify software vulnerabilities based on realistic threats against meaningful assets
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in web applications
  • Design and develop strong, robust authentication and authorization implementations
  • Fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
  • Detect, attack, and implement defenses for XML-based services and functionality
  • Techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
  • Implement the processes and measures associated with the Secure Software Development (SSD)
  • Acquire the skills, tools, and best practices for design and code reviews as well as testing initiatives
  • Basics of security testing and planning
  • Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses

Audience

 

Application project stakeholders who wish to get up and running on developing well defended web applications

Prerequistes

 

  • Familiarity with a programming language (such as Java, .Net or C++) is required
  • Real world programming experience is highly recommended

Course Outline

 

1. Foundation

  • Misconceptions
  • Security Concepts
  • Defensive Coding Principles
  • Reality

2. Top Security Vulnerabilities

  • Unvalidated Input
  • Regular Expressions
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS) Flaws
  • Injection Flaws
  • Error Handling and Information Leakage
  • Insecure Storage
  • Insecure Management of Configuration
  • Direct Object Access
  • Spoofing and Redirects

3. Understanding What's Important

  • Prioritizing Your Efforts
  • Common Vulnerabilities and Exposures for 2011
  • OWASP Top Ten for 2010
  • CWE/SANS Top 25 Programming Errors
  • Monster Mitigations

4. Defending XML Processing

  • Defending XML
  • Defending Web Services
  • Defending Ajax

5. Secure Software Development (SSD)

  • SSD Process
  • Asset, Boundary, and Vulnerability Identification
  • Vulnerability Response
  • Design and Code Reviews
  • Applying Processes and Practices
  • Risk Analysis

6. Security Testing

  • Testing as Lifecycle Process
  • Testing Planning and Documentation
  • Testing Tools and Processes
  • Principles
  • Static and Dynamic Code Analysis
  • Testing Practices

7. Security Design Patterns

  • Design Patterns
  • JEE Web Application Security Design Patterns

Course Labs