DUNS #: 07-985-4198 | Cage Code: 7F5V0 | NAICS Codes: 611310, 611420

Secure Web Application Engineer

4 Days

Price: $3495

Course Schedule

Overview

The Certified Secure Web Application Engineer course is designed to equip students with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.

On the final day of training, students will complete a real world hacking exercise on a live web application.

These secure coding skills are in desperate need today because the internet is one of the most dangerous places to do business; there are countless cases of valuable information being stolen from businesses because there was a vulnerability in their web applications. When programmers don’t understand the principles of secure coding, doors are open to those who do.


Objectives

Students will have knowledge to:

  • Perform web application penetration testing to expose vulnerabilities.
  • Design & implement controls to defend against application vulnerabilities.
  • Integrate security best practices into the software development lifecycle
  • Be ready to sit for the C)SWAE certification exam.

Audience

The Certified Secure Web Application Engineer Certification Course is designed for those have a background in web application development and want to have the skill set to make their applications secure. While not required, we recommend being familiar with general cyber security topics, including those taught in our C)ISSO: Information Systems Security Officer course.


Prerequisites

  • Proficiency in web app programming in a language of your choice

Outline

Module 1 – Web Application Security

  • Web Application Security
  • Web Application Technologies and Architecture
  • Secure Design Architecture
  • Application Flaws and Defense Mechanisms
  • Defense In-Depth
  • Secure Coding Principles
  • Lab: Environment Setup – Lab

Module 2 – OWASP Top 10

  • The Open Web Application Security Project (OWASP)
  • OWASP TOP 10 2013
  • Lab: Environment Setup – LabCommon WEP Attacks

Module 3 – Threat Modeling & Risk Management

  • Threat Modeling Tools & Resources
  • Identify Threats
  • Identify Countermeasures
  • Choosing a Methodology
  • Post Threat Modeling
  • Analyzing and Managing Risk
  • Incremental Threat Modeling
  • Identify Security Requirements
  • Understand the System
  • Root Cause Analysis
  • Lab: Threat Modeling and Architecture Risk Analysis
  • Lab: Quick Threat Modeling (the Doctor use case)

Module 4 – Application Mapping

  • Application Mapping
  • Web Spiders
  • Web Vulnerability Assessment
  • Discovering other content
  • Application Analysis
  • Application Security Toolbox
  • Setting up a Testing Environment
  • Lab: Web Application Mapping using Ethical Hacking Tools

Module 5 – Authentication & Authorization Attacks

  • Authentication
  • Different Types of Authentication (HTTP, Form)
  • Client Side Attacks
  • Authentication Attacks
  • Authorization
  • Modeling Authorization
  • Least Privilege
  • Access Control
  • Authorization Attacks
  • Access Control Attacks
  • User Management
  • Password Storage
  • User Names
  • Account Lockout
  • Passwords
  • Password Reset
  • Client-Side Security
  • Anti-Tampering Measures
  • Code Obfuscation
  • Anti-Debugging
  • Lab: Client Side, Authentication and Authorization Attacks

Module 6 – Session Management Attacks

  • Session Management Attacks
  • Session Hijacking
  • Session Fixation
  • Environment Configuration Attacks
  • Lab: Session Management, Access Controls and Configuration Attacks

Module 7 – Application Logic Attacks

  • Application Logic Attacks
  • Information Disclosure Exploits
  • Data Transmission Attacks
  • Lab: Application Logic, Information Disclosure and Data Transmission Attacks

Module 8 – Data Validation

  • Input and Output Validation
  • Trust Boundaries
  • Common Data Validation Attacks
  • Data Validation Design
  • Validating Non-Textual Data
  • Validation Strategies & Tactics
  • Errors & Exception Handling
  • Structured Exception Handling
  • Designing for Failure
  • Designing Error Messages
  • Failing Securely
  • Lab: Cert Java Oracle Secure Coding IDS

Module 9 – AJAX Attacks

  • AJAX Attacks
  • Web Services Attacks
  • Application Server Attacks
  • Lab: AJAX, Web Services and Server Attacks

Module 10 – Code Review & Security Testing

  • Insecure Code Discovery and Mitigation
  • Testing Methodology
  • Client Side Testing
  • Session Management Testing
  • Developing Security Testing Scripts
  • Pentesting a Web Application
  • Lab: Performing Code review and Building Security Test Scripts

Module 11:  Web Application Penetration Testing

  • Insecure Code Discovery and Mitigation
  • Benefits of a Penetration Test
  • Current Problems in WAPT
  • Learning Attack Methods
  • Methods of Obtaining Information
  • Passive vs. Active Reconnaissance
  • Footprinting Defined
  • Introduction to Port Scanning
  • OS Fingerprinting
  • Web Application Penetration Methodologies
  • The Anatomy of a Web Application Attack
  • Fuzzers
  • Lab: Performing Web Application PenTesting stepsPKI
  • CA Hierarchy

Module 12: Secure SDLC

  • Secure-Software Development Lifecycle (SDLC)
  • Methodology
  • Web Hacking Methodology
  • Lab: Case Study and Web Penetration Testing Assignment

Module 13: Cryptography

  • Overview of Cryptography
  • Key Management
  • Cryptography Application
  • True Random Generators (TRNG)
  • Symmetric/Asymmetric Cryptography
  • Digital Signatures and Certificates
  • Hashing Algorithms
  • XML Encryption and Digital Signatures
  • Authorization Attacks
  • Lab: Encryption in Secure Coding (Example for Java, PHP and .NET)

Appendix – Labs:

  • Spoofing & Authentication Cookies
  • How to Perform Cross Site Scripting (XSS)
  • Injection Flaws
  • Improper Error Handling
  • Parameter Tampering
  • Denial of Service
  • Writing Java Secure Code