Training

Secure Web Application Development

This course is designed to teach web application developers and architects how to build applications with world-class security.  QA engineers, IT security analysts, and IT risk managers can also benefit from this course.

Every major aspect of application security is covered, and each module includes both design and coding advice.  Hands-on labs are provided to help students master the concepts in a highly interactive setting.  The course focuses on application development strategies and tactics that secure software at the source.

Compliance the PCI DSS and other Industry Requirements

PCI DSS requires members, merchants and service providers develop all web applications based on secure coding guidelines such as the Open Web Application Security Project Guide (OWASP). The course covers the OWASP Top-10 vulnerabilities, in addition to others that AppSec Consulting security engineers have come across in real-life security engagements.  The course provides prescriptive guidance on testing web applications in accordance with PCI DSS requirements, and can help you identify and eliminate common vulnerabilities before they reach production.

Course Outline

Security Principles Overview

  • Importance of Security In the Software Development Lifecycle
  • Regulations, Privacy and Compliance
  • Impact of Security Defects
  • Core Security Concepts
  • Security Design Principles

Information Disclosure

  • Leakage in Web Technologies (HTML, HTTP, Files, Client-Side Objects, URLs, Web Services)
  • Error Handling (Structured vs. Functional)
  • Google Hacking

Authentication

  • Methods of Authentication
  • 2-Factor Authentication
  • Single Sign-On
  • Common Authentication Attacks (Brute Force, Username Harvesting, etc.)
  • Implementing Secure Authentication – Design and Coding

Session Management

  • Overview of Sessions
  • Threats to Sessions and Impact
  • Common Implementation Mistakes and Exploits (Interception, Prediction, Brute Force, etc.)
  • Implementing Secure Sessions – Design and Coding

Authorization and Access Control

  • Methods of Access Control
    • Discretionary Access Control (DAC)
    • Mandatory Access Control (MAC)
    • Role-Based Access Control (RBAC)
    • Rule-Based Access Control
  • Common Authorization Attacks (Parameter Tampering, Privilege Escalation, Cross-Site Request Forgery, etc.)
  • Implementing Secure Authentication – Design and Coding

Secure Data Handling

  • Overview of Data Handling
    • Integrity Validation
    • Data Validation
    • Business Rule Validation
  • Common Exploits (SQL Injection, Cross-Site Scripting, HTTP Response Splitting, etc.)
  • Implementing Secure Data Handling – Design and Coding

Cryptography

  • Hashing
  • Secure Password Storage
  • Symmetric and Asymmetric Encryption
  • Digital Signatures
  • Certificates
  • Key Distribution
  • SSL and Digital Certificates
  • Implementing Cryptography – Design and Coding

Logging

  • Logging Overview
  • Threats and Considerations
  • Implementing Logging – Design and Coding

Web Service Security

  • Simple Object Access Protocol (SOAP)
  • SOAP Related Protocols
  • Security Assertion Markup Language (SAML)
  • WS-Security
  • REpresentational State Transfer (REST)
  • REST Related Protocols
  • JSON vs XML
  • Implementing Secure Web Services – Design and Coding

Secure Application Development

  • Software Development Life Cycle (SDLC)
  • Threat Modeling
  • Application Risk Levels
  • Risk Assessment
    • STRIDE and DREAD
    • Severity Level Classifications

Web Application Security Tools

Web Application Security Resources

Lab Sessions

The in-person version of this course includes lab exercises that allow students to explore the security of their applications and to demonstrate attack techniques against a demo website.  The exercises cover manual techniques to exploit the site and subvert application restrictions.  The hands-on sessions include:

  • Introduction To Interception Proxy Tools
  • Information Gathering
  • Session Token Identification
  • Analyzing a Site’s Session Handling Practices
  • Exploiting Authorization Issues
  • Harvesting Data with Burp Intruder
  • Cross-Site Scripting
  • SQL Injection
  • Web Services

Prerequisites

The course is contains coding examples in both Java and ASP.Net, but can be customized for any development language.  A working knowledge of HTML, JavaScript and any server-side programming language (ASP.Net, Java, PHP, ColdFusion, etc.) is recommended.

Class Requirements

  • Projector to connect to instructor’s laptop
  • Whiteboard/Markers
  • A computer for each participant with the free VirtualBox installed and at least 1 GB of memory
  • Internet connection
© Copyright 2017 AppSec Consulting, All Rights Reserved