title
Please take a moment to fill out this form. We will get back to you as soon as possible.
All fields marked with an asterisk (*) are mandatory.
Secure Web Application Development
Course Description
Overview
This Secure Web Application Development Seminar (Language Neutral) course is designed for web developers who need to produce secure web applications, integrating security measures into the development process from requirements to deployment and maintenance.In this course, students are shown best practices for defensively coding web applications, including XML processing and web services. Demonstrations repeatedly attack and then defend various assets associated with a fully-functional web application. This approach illustrates the mechanics of how to secure web applications in the most practical of terms.
In many cases, there are labs that reinforce these concepts with real vulnerabilities and attacks. Students are then challenged to design and implement the layered defenses they will need in defending their own applications.
Objectives
- Understand potential sources for untrusted data
- Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
- Be able to test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
- Prevent and defend the many potential vulnerabilities associated with untrusted data
- Understand the vulnerabilities of associated with authentication and authorization
- Be able to detect, attack, and implement defenses for authentication and authorization functionality and services
- Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
- Be able to detect, attack, and implement defenses against XSS and Injection attacks
- Understand the concepts and terminology behind defensive, secure, coding
- Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
- Perform both static code reviews and dynamic application testing to uncover vulnerabilities in web applications
- Design and develop strong, robust authentication and authorization implementations
- Understand the fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
- Be able to detect, attack, and implement defenses for XML-based services and functionality
- Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
- Understand and implement the processes and measures associated with the Secure Software Development (SSD)
- Acquire the skills, tools, and best practices for design and code reviews as well as testing initiatives
- Understand the basics of security testing and planning
- Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses
Audience
- Web Developers - This is an intermediate-level course designed for application project stakeholders who wish to get up and running on developing well defended web applications. Familiarity with a programming language (such as Java, .Net or C++) is required, and real world programming experience is highly recommended.
Prerequisites
-
Take Before: Students should have an understanding and a working knowledge in basic programming in either .Net or Java. Depending on the language of choice, students should have experience similar to:
- TT4000 Understanding Internet Architectures
- TT2100 Mastering Java for OO Developers or a .Net Fundamentals courses
- We offer this course for both Java (TT8120-J) and .Net (TT8120-N) flavors
- For team members that need a higher level view of security and related issues, please consider TT8020 Understanding Web Application Security
- If you are looking for hands-on labs, you might consider: TT8325 Securing Web Application Development Lifecycle (SDL) (for Java or .Net)
- If you need less of a web application orientation, you might consider: TT8200 Secure Coding (for Java or .Net)
Topics
- Assumptions We Make
- Security: The Complete Picture
- Anthem, Dell, Target, Equifax, and Marriot Debriefs
- Verizon's 2018 Data Breach Report
- Attack Patterns and Recommendations
- Motivations: Costs and Standards
- Open Web Application Security Project
- Web Application Security Consortium
- CERT Secure Coding Standards
- Microsoft SDL
- Assets and Trust Boundaries
- Threat Modeling
- Potential Demonstration: Asset Analysis
- Security Is a Lifecycle Issue
- Minimize Attack Surface Area
- Layers of Defense: Tenacious D
- Compartmentalize
- Consider All Application States
- Do NOT Trust the Untrusted
- Injection Flaws
- Examples: SQL Injection
- Drill Down on Stored Procedures
- Understanding the Underlying Problem
- Other Forms of Injection
- Minimizing Injection Flaws
- Potential Demonstration: Defending Against SQL Injection
- Weak Authentication Data
- Protecting Authentication Data
- Protecting Authentication Services
- Effective Credential Management
- Effective Multi-Factor Authentication
- Handling Passwords on Server Side
- Potential Demonstration: Defending Authentication
- Protecting Data Can Mitigate Impact of Exploit
- Regulatory Considerations
- Establishing an Asset Inventory
- At Rest Data Handling
- In Motion Data Handling
- In Use Data Handling
- Potential Demonstration: Defending Sensitive Data
- Access Control and Trust Boundaries
- Excessive Privileges
- Insufficient Flow Control
- Unprotected API Resource Access
- JWTs, Sessions and Session Management
- Single Sign-on (SSO)
- Potential Demonstration: Enforcing Access Control
- System Hardening: IA Mitigation
- Application Whitelisting
- Principle of Least Privileges in Real Terms
- Secure Configuration Baseline
- Error-Handling Issue (First Section)
- XSS Patterns
- Stored XSS
- Reflected XSS
- DOM XSS
- Best Practices for Untrusted Data
- Potential Demonstration: Defending Against XSS
- Recognizing Serialization in Java, JSON.Net and Elsewhere
- Deserializing Hostile Objects
- Safely Managing Deserialization
- Name Resolution Vulnerabilities
- Fake Certs and Mobile Apps
- Targeted Spoofing Attacks
- Cross Site Request Forgeries (CSRF)
- CSRF Defenses
- Potential Demonstration: Cross-Site Request Forgeries
- Common Vulnerabilities and Exposures
- CWE/SANS Top 25 Most Dangerous SW Errors
- Strength Training: Project Teams/Developers
- Strength Training: IT Organizations
- Leveraging Common AppSec Practices and Controls
- XML Signature
- XML Encryption
- XML Attacks: Structure
- XML Attacks: Injection
- Safe XML Processing
- Potential Demonstration: Safe XML Processing
- Web Service Security Exposures
- When Transport-Level Alone is NOT Enough
- Message-Level Security
- WS-Security Roadmap
- Web Service Attacks
- Web Service Appliance/Gateways
- Potential Demonstration: Web Service Attacks
- How Attackers See Rich Interfaces
- Attack Surface Changes When Moving to Rich Interfaces and REST
- Bridging and its Potential Problems
- Three Basic Tenets for Safe Rich Interfaces
- OWASP REST Security Recommendations
- OAuth 2.0 and OpenID
- Potential Demonstration: Working with OAuth
- Types of Security Controls
- Phases of Typical Data-Oriented Attack
- Phases: Offensive Actions and Defensive Controls
- Security Lifecycle Activities
- Threat Modeling Process
- Modeling Assets and Trust Boundaries
- Modeling Data Flows
- Identifying Threats
- Relating Threats to Model
- Mitigating Threats
- Reviewing the Application
- Security Testing Principles
- Dynamic Analyzers
- Static Code Analyzers
- Criteria for Selecting Static Analyzers
- OWASP Web App Penetration Testing
- Authentication Testing
- Session Management Testing
- Data Validation Testing
- Denial of Service Testing
- Web Services Testing
- Ajax Testing
Related Courses
-
HTML, XHTML, and CSS
WDHT-200- Duration: 3 Days
- Delivery Format: Classroom Training, Online Training
- Price: 1,755.00 USD
-
New Features of HTML5 and CSS3
WDHT-205- Duration: 2 Days
- Delivery Format: Classroom Training, Online Training
- Price: 1,170.00 USD
Self-Paced Training Info
Learn at your own pace with anytime, anywhere training
- Same in-demand topics as instructor-led public and private classes.
- Standalone learning or supplemental reinforcement.
- e-Learning content varies by course and technology.
- View the Self-Paced version of this outline and what is included in the SPVC course.
- Learn more about e-Learning
Course Added To Shopping Cart
bla
bla
bla
bla
bla
bla
Self-Paced Training Terms & Conditions
Sorry, there are no classes that meet your criteria.
Please contact us to schedule a class.
STOP! Before You Leave
Save 0% on this course!
Take advantage of our online-only offer & save 0% on any course !
Promo Code skip0 will be applied to your registration