Training

Web Application Security Testing

Custom-built web applications are the security weak spot for most companies. Traditional IT security practices focus on firewalls, patching and hardening servers, virus scans, etc. While these are definitely important activities, hackers are often turning towards web applications as a means for attacking systems and stealing critical data. Securing these custom web applications is a challenging task.

This course covers all of the most common security weaknesses found in web applications. Students will learn how to look at their websites from a hacker's point of view, and will learn best practices for finding and resolving existing security vulnerabilities and building new web applications in a secure manner. The course contains unique and fun hands-on exercises to help students gain a fuller understanding of the concepts presented.

The focus of this course is on practical lessons that can be applied in real-world situations.  Students are given a methodology to use when conducting formal application security assessments, which covers how to do a thorough assessment, how to rate the risk of identified vulnerabilities, and how to compile the assessment results into an actionable report.

If you’re looking for expert guidance on how to build an effective in-house application security assessment program and how to build security into your QA process, this is the course for you.

Compliance with PCI Requirements

PCI DSS requires members, merchants and service providers develop all web applications based on secure coding guidelines such as the Open Web Application Security Project Guide (OWASP). The course covers the OWASP Top-10 vulnerabilities, in addition to others that AppSec Consulting security engineers have come across in real-life security engagements.  The course provides prescriptive guidance on testing web applications in accordance with PCI DSS requirements, and can help you identify and eliminate common vulnerabilities before they reach production.

Course Outline

  • HTTP 101
  • Exploring Your Application
  • Input Validation
  • Session Management
  • Authentication
  • Securing the Logged-In Portion of Your Site
  • Cryptography As It Applies to Web Applications
  • Secure Website Configuration
  • Google Hacking
  • Web Application Security Products and Tools Overview
  • Putting It All together – A Web Application Security Assessment Methodology
  • Resources For Learning More

The modules are structured to give an overview of the topic, introduce the different types of attacks, describe testing techniques, and then suggest design and coding solutions to prevent these attacks.

Lab Sessions

These sessions help students become very familiar with HTTP, which is important for understanding web application security concepts.  The exercises include examples of various application vulnerabilities and allow students to demonstrate attack techniques against a demo website and analyze the security of their own websites without conducting attacks on production systems.  The hands-on sessions include:

  • Using Interception Proxy Tools
  • Introduction To HTTP
  • Exploration and Spidering
  • Cross-Site Scripting
  • SQL Injection
  • Analyzing An Application’s Session Handling Security
  • Parameter Tampering
  • Privilege Escalation
  • Google Hacking

Prerequisites

The course contains coding examples in both Java and ASP.Net, but is not a programming course – web programming experience is helpful but not mandatory.  Experience in working with websites, either as a QA analyst, security analyst, or developer is helpful for getting the most out of this course.

Class Requirements

  • Projector to connect to instructor’s laptop
  • Whiteboard/Markers
  • A computer for each participant with the free VirtualBox installed and at least 1 GB of memory
  • Internet connection
© Copyright 2017 AppSec Consulting, All Rights Reserved