Secure Web Application Development
Course: SECWD
Duration: 3 Days
Level: II
Course Summary
This 3-day course presents the processes required to build robust and secure web applications from the start and explains how to eliminate existing security bugs. Best practices for authentication, access control, data protection, attack prevention, error handling, and much more are included. Using the practical advice and real-world examples provided, you'll gain valuable secure software engineering skills. This course is not geared towards any particular platform or technology, but instead discusses the various underlying aspects and concepts encountered in each and any of them.
« Hide The Details
Topics Covered In This Course
Web Application Security Basics
- What is Untrusted Data?
- HTTP Security Considerations
- Anti-Pattern and Weaknesses
- Security Controls and Positive Pattern
- Input Validation
Authentication and Session Management
- Registration of New Users
- Login Process
- Attacks Against Authentication
- Secure Cookies
- Credential Security
- Multi-Factor Authentication
- Federated Identity, SAML, OAuth et al
Access Control
- Identity and Access Control
- Anti-Pattern and Pattern
- Role-Based Access Control
- Multi-Tenancy
- Contextual Access Control
- Attribute-Based Access Control
Cross-Site Scripting (XSS) Defense
- Content Spoofing
- Reflected, Stored and DOM-Based XSS
- Defending Against XSS
- Input and HTML Validation and Sanitization
- Output Encoding
- Secure JSON Pattern jQuery and DOM XSS
Cross-Site Request Forgery (CSRF) Defense and Clickjacking
- How Does CSRF Work?
- Stored, Intranet, Network and Unauthenticated CSRF
- How to Combat CSRF
- Synchronizer Token and Challenge/Response Pattern
- HTTP Request Referrer Header Verification
- XSS Defense and CSRF Protection
- Clickjacking
- How to Combat Clickjacking
Protecting Sensitive Data
- Securing Data in Transit
- Protocol Versions and Cipher Suites
- Certificates and Trust Managers
- Securing Data at Rest
- Encryption and Signing
- Key Management
- Secure Random Numbers
SQL Injection and Other Injection Attacks
- What is SQL Injection?
- Query Parameterization
- Stored Procedures
- Defense in Depth
- Input Validation and Type Safety
- Access Control
- Relational Mapping and ORMs
- XML, JSON and Command Injections
Safe File Upload and File I/O
- Anti-Pattern and Design Flaws
- File Path and Null Byte Injections
- File I/O Resource Management
- File Upload Security
- Attack Pattern
- Dangerous Content, Overwrites and Quota Overload DoS
- Processing zip, rar and other Archives
- Positive Pattern
Logging, Error Handling, and Intrusion Detection
- Logging Basics
- What to Log, What Not
- Logging Frameworks for Security
- Safe Error Handling
- App Layer Intrusion Detection
- Defending Against Automated Attacks
- OWASP AppSensor
Secure Software Development Lifecycle
- Averting Disaster Before it Starts
- Team Roles for Security
- Security Throughout the Application Life Cycle
- Security in the Software Development Life Cycle
- Business and Technical Security Requirements
- Implementing Security Controls
- Testing Security Controls
- Monitoring and Incident Response
What You Can Expect
At the end of this course, delegates will be able to:
- Describe the core processes to build secure web applications
- Recognise common attack pattern, and how to protect against these
- Use a wide range of best practices to develop secure web applications
- Understand pattern and anti-pattern of secure web application development
- Appreciate that security is an integral part of any system development life cycle and crucial to any successful web application project
Who Should Take This Course
Web application designers, architects, developers and testers, IT, program and project managers as well as auditors assessing web application projects.
Recommended Prerequisites
Students should have a high-level understanding of software development principles and some experience in at least one web application development technology.
Training Style
Instructor-led with 50% lecture and 50% discussion and conceptional desktop exercises.
« Hide The Details
Related Courses
Code |
Course Title |
Duration |
Level |
|
SEC4T |
Security Awareness For Technologists |
2 Days |
I |
Details |
SECPLUS |
CompTIA Security+ (Exam SY0-401) |
5 Days |
I |
Details |
SEC4M |
Security Awareness For Management |
2 Days |
I |
Details |
SECWEB |
Securing Web Applications, Services And Servers |
3 Days |
I |
Details |
Every student attending a Verhoef Training class will receive
a certificate good for $100 toward their next public class taken
within a year.
You can also buy "Verhoef Vouchers" to get a discounted rate for a
single student in any of our public or web-based classes.
Contact your account manager or our sales office for details.
|