Home > Course Catalog > Security > Application Security

Secure Web Application Development

This outline is also available in these languages: ??languagelist??

Course #:





2 days


1,400.00 USD

Professional Development Units:

Continuing Development Units:

Course Tier: ??Tier??

Per Student Kit Price: ??KitPricePerStudent??

ibm Learning Experience Accelerated class also available Accelerated Class


We will shape this course to maximize value in your organization by meeting your implementations standards. Inquire for a complementary preliminary needs analysis by clicking the Contact Us button below.

Delivery Options:

Public Scheduled Classes - Register for classes below Search Catalog Sign Up to be notified
Self-Paced Training - Purchase below Search Catalog
Public Scheduled Webinar - Register below Sign Up to be notified
Webinar Recording - View Now

Custom Group Training - Request a proposal

See all
Purchase ??country-to-buy-from?? course Add to Cart Purchase
here's the message from the cart

To view the cart, you can click "View Cart" on the right side of the heading on each page
Client specified

Classes marked with a are Guaranteed to Run on the scheduled dates. Classes marked with a will be Guaranteed to Run with one more paid registration.

There are ??othercoursecount?? similar courses in different countries and/or formats.Click here to see them.

This course is available in these other formats: ??otherformatlist??

Need a customized class for your group? Contact Us.

No classes scheduled? Sign Up to be notified when new classes are added.

*Public Price per Student

This course is designed to provide students with the knowledge necessary to produce secure web applications, integrating security measures into the development process from requirements to deployment and maintenance. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development lifecycle. This course is short on theory and long on application, providing students with in-depth, code-level demonstrations and walk-throughs. This course is taught in a language-neutral fashion, with demonstrations from several languages to illustrate patterns and techniques.

This course is on the intermediate level. It is in seminar format with lecture combined with open discussions and high-level demonstrations.


Upon completion of the course, students will be able to:
  • Explain potential sources for untrusted data
  • Describe the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Explain the vulnerabilities of associated with authentication and authorization
  • Detect, attack and implement defenses for authentication and authorization functionality and services
  • Describe the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Detect, attack and implement defenses against XSS and Injection attacks
  • Explain the concepts and terminology behind defensive, secure coding
  • Descibe the use of Threat Risk Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in web applications
  • Design and develop strong, robust authentication and authorization implementations
  • Explain the fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
  • Detect, attack and implement defenses for XML-based services and functionality
  • Describe techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
  • Analyze and implement the processes and measures associated with the security development lifecycle (SDL)
  • Acquire the skills, tools and best practices for design and code reviews as well as testing initiatives
  • List the basics of security testing and planning
  • Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses

  • Web Developers
  • Project Stakeholders

  • Basic experience with a programming language

  1. Foundation
    • Security concepts
      • Terminology and players
      • Assets, threats and attacks
      • OWASP
    • Principles of defensive coding
    • Reality
      • Survey of recent, relevant incidents
      • Lab to find the security defects in an existing web application
  2. Top Security Vulnerabilities
    • Unvalidated input
      • Description with working example
      • Defenses
      • Identifying trust boundaries
      • Qualifying untrusted data
      • Implementing a layered defense that effectively protects quality of service as well as data integrity
      • Designing an appropriate response to a recognized attack
      • Testing defenses and responses for weaknesses
    • Overview of regular expressions
      • Description with working example
    • Broken access control
      • Description with working example
      • Defenses
      • Authorization security overview
      • Defending special privileges such as administrative functions
      • Application authorization best practices
    • Broken authentication and session management
      • Description with working example
      • Defenses
      • Multi-layered defenses of authentication services
      • Password management strategies
      • Password handling with hashing
      • Mitigating password caching
      • Testing defenses and responses for weaknesses
      • Alternative authentication mechanisms
      • Best practices for session management
      • Defending session hijacking attacks
      • Best practices for Single Sign-On (SSO)
    • Cross Site Scripting (XSS) flaws
      • Description with working example
      • Defenses
      • Character encoding complications
      • Blacklisting
      • Whitelisting
      • HTML/XML entity encoding
      • Understanding the implications of trust boundary definition
      • Implementing a layered defense that effectively protects quality of service as well as XSS vulnerabilities
      • Designing an appropriate response to a recognized attack
    • Injection flaws
      • Description with working example
      • Defenses
      • Qualifying untrusted data
      • Hibernate best practices
      • XML best practices
      • Third party APIs
      • Implementing a layered defense that effectively protects quality of service as well as injection vulnerabilities
      • Designing an appropriate response to a recognized attack
    • Error handling and information leakage
      • Description with working example
      • Defenses
      • Web application exception handling framework
      • Error response best practices
      • Error, auditing and logging content management
      • Error, auditing and logging service management
      • Best practices for supporting web attack forensics
    • Insecure storage
      • Description with working example
      • Defenses
      • Data leakage
      • Risk minimization
      • Cryptography overview
      • Data encryption
      • Partial/complete
      • Property/deployment/configuration files
    • Insecure management of configuration
      • Description with working example
      • Defenses
      • System hardening
      • Server configuration “gotchas!”
      • Hardening software installation
    • Direct object access
      • Description with working example
      • Defenses
      • XML/DTD/Schema/XSLT best practices
    • Spoofing
      • Description with working example
      • Defenses
      • Protecting your clients
      • Defending against Cross Site request forgeries
      • Phishing defenses
  3. Best Practices
    • Defensive coding principles
      • Attack surface management
      • Application states
      • Defense in depth
      • Not trusting the untrusted
      • No security through obscurity
      • Security defect mitigation
      • Leverage experience
  4. Defending XML Processing
    • Defending XML
      • Understanding common attacks and how to defend
      • Operating in safe mode
      • Using standards-based security
      • XML-aware security infrastructure
    • Defending Web services
      • Security exposures
      • Transport-level security
      • Message-level security
      • WS-Security
      • Attacks and defenses
    • Defending Ajax
      • Ajax security exposures
      • Attack surface changes
      • Injection threats and concerns
      • Effective defenses and practices
  5. Security Development Lifecycle (SDL)
    • SDL process overview
    • Applying processes and practices
    • Risk analysis
  6. Security Testing
    • Testing tools and processes
      • Principles
      • Reviews
      • Testing
      • Tools
    • Testing Practices
      • Authentication testing
      • Session management testing
      • Data validation testing
      • Denial of service testing
      • Web services testing
      • Ajax testing
  7. Appendix: Security Design Patterns
    • Design patterns introduction
    • Web application security design patterns
      • Authentication enforcer
      • Authorization enforcer
      • Intercepting validator
      • Secure base action
      • Secure logger
      • Secure pipe
      • Secure service proxy
      • Intercepting Web agent


This course is included in the following Roadmaps:
2016 IBM Choice Award

LearnQuest Learning Library

Free training resources.
Visit the library 

Guaranteed to Run

View all GTR Courses here  

Transform Your Business and Invest Effectively in Your IT

LearnQuest Enterprise Architecture Course Series  

Follow LearnQuest