Secure Web Application Development

Course:  SECWD
Duration:  3 Days
Level:  II
Course Summary

This 3-day course presents the processes required to build robust and secure web applications from the start and explains how to eliminate existing security bugs. Best practices for authentication, access control, data protection, attack prevention, error handling, and much more are included. Using the practical advice and real-world examples provided, you'll gain valuable secure software engineering skills. This course is not geared towards any particular platform or technology, but instead discusses the various underlying aspects and concepts encountered in each and any of them.

« Hide The Details
Topics Covered In This Course

Web Application Security Basics

  • What is Untrusted Data?
  • HTTP Security Considerations
  • Anti-Pattern and Weaknesses
  • Security Controls and Positive Pattern
  • Input Validation

Authentication and Session Management

  • Registration of New Users
  • Login Process
  • Attacks Against Authentication
  • Secure Cookies
  • Credential Security
  • Multi-Factor Authentication
  • Federated Identity, SAML, OAuth et al

Access Control

  • Identity and Access Control
  • Anti-Pattern and Pattern
  • Role-Based Access Control
  • Multi-Tenancy
  • Contextual Access Control
  • Attribute-Based Access Control

Cross-Site Scripting (XSS) Defense

  • Content Spoofing
  • Reflected, Stored and DOM-Based XSS
  • Defending Against XSS
  • Input and HTML Validation and Sanitization
  • Output Encoding
  • Secure JSON Pattern jQuery and DOM XSS

Cross-Site Request Forgery (CSRF) Defense and Clickjacking

  • How Does CSRF Work?
  • Stored, Intranet, Network and Unauthenticated CSRF
  • How to Combat CSRF
  • Synchronizer Token and Challenge/Response Pattern
  • HTTP Request Referrer Header Verification
  • XSS Defense and CSRF Protection
  • Clickjacking
  • How to Combat Clickjacking

Protecting Sensitive Data

  • Securing Data in Transit
  • Protocol Versions and Cipher Suites
  • Certificates and Trust Managers
  • Securing Data at Rest
  • Encryption and Signing
  • Key Management
  • Secure Random Numbers

SQL Injection and Other Injection Attacks

  • What is SQL Injection?
  • Query Parameterization
  • Stored Procedures
  • Defense in Depth
  • Input Validation and Type Safety
  • Access Control
  • Relational Mapping and ORMs
  • XML, JSON and Command Injections

Safe File Upload and File I/O

  • Anti-Pattern and Design Flaws
  • File Path and Null Byte Injections
  • File I/O Resource Management
  • File Upload Security
  • Attack Pattern
  • Dangerous Content, Overwrites and Quota Overload DoS
  • Processing zip, rar and other Archives
  • Positive Pattern

Logging, Error Handling, and Intrusion Detection

  • Logging Basics
  • What to Log, What Not
  • Logging Frameworks for Security
  • Safe Error Handling
  • App Layer Intrusion Detection
  • Defending Against Automated Attacks
  • OWASP AppSensor

Secure Software Development Lifecycle

  • Averting Disaster Before it Starts
  • Team Roles for Security
  • Security Throughout the Application Life Cycle
  • Security in the Software Development Life Cycle
  • Business and Technical Security Requirements
  • Implementing Security Controls
  • Testing Security Controls
  • Monitoring and Incident Response
What You Can Expect

At the end of this course, delegates will be able to:

  • Describe the core processes to build secure web applications
  • Recognise common attack pattern, and how to protect against these
  • Use a wide range of best practices to develop secure web applications
  • Understand pattern and anti-pattern of secure web application development
  • Appreciate that security is an integral part of any system development life cycle and crucial to any successful web application project
Who Should Take This Course

Web application designers, architects, developers and testers, IT, program and project managers as well as auditors assessing web application projects.

Recommended Prerequisites

Students should have a high-level understanding of software development principles and some experience in at least one web application development technology.

Training Style

Instructor-led with 50% lecture and 50% discussion and conceptional desktop exercises.

« Hide The Details
Related Courses
Code Course Title Duration Level
Security Awareness For Technologists
2 Days
CompTIA Security+ (Exam SY0-401)
5 Days
Security Awareness For Management
2 Days
Securing Web Applications, Services And Servers
3 Days

Every student attending a Verhoef Training class will receive a certificate good for $100 toward their next public class taken within a year.

You can also buy "Verhoef Vouchers" to get a discounted rate for a single student in any of our public or web-based classes. Contact your account manager or our sales office for details.

Schedule For This Course
There are currently no public sessions scheduled for this course. We can schedule a private class for your organization just a couple of weeks from now. Or we can let you know the next time we do schedule a public session.
Notify me the next time this course is confirmed!
Can't find the course you want?
Call us at 800.533.3893, or
email us at [email protected]