Course Description
Course Overview
The Certified Secure Web Application Engineer course is designed to equip students with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.
On the final day of training, students will complete a real world hacking exercise on a live web application.
These secure coding skills are in desperate need today because the internet is one of the most dangerous places to do business; there are countless cases of valuable information being stolen from businesses because there was a vulnerability in their web applications. When programmers don’t understand the principles of secure coding, doors are open to those who do.
Upon completion
Students will have knowledge to:
- Perform web application penetration testing to expose vulnerabilities.
- Design & implement controls to defend against application vulnerabilities.
- Integrate security best practices into the software development lifecycle
- Be ready to sit for the C)SWAE certification exam.
Who should attend
The Certified Secure Web Application Engineer Certification Course is designed for those have a background in web application development and want to have the skill set to make their applications secure. While not required, we recommend being familiar with general cyber security topics, including those taught in our C)ISSO: Information Systems Security Officer course.
Course Content
The C)SWAE is a four day course that will cover secure coding practices and testing for web applications. It is comprised of 10 Modules and an appendix which includes extra practice labs to perform outside of class to solidify secure coding practices.
Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modelling, conducting secure code reviews and more.
On the final day of training, students will complete a real world hacking exercise on a live web application.
Course: Modules & Labs
1. Web Application Security
2. OWASP TOP 10
3. Threat Modeling & Risk Management
4. Application Mapping
5. Authentication and Authorization attacks
6. Session Management attacks
7. Application Logic attacks
8. Data Validation
9. AJAX attacks
10. Code Review and Security Testing
11. Web Application Penetration Testing
12. Secure SDLC
13. Cryptography
Appendix: Labs
Introduction & Instructions
1. Spoofing Authentication Cookies
2. How to Perform Cross Site Scripting (XSS)
3. Injection Flaws
4. Improper Error Handling
5. Parameter Tampering
6. Denial of Service
7. Writing Java Secure Code
Course Details
Module 1: Web Application Security
Web Application Security
Web Application Technologies and Architecture
Secure Design Architecture
Application Flaws and Defense Mechanisms
Defense In-Depth
Secure Coding Principles
Lab: Environment Setup – Lab
Module 2: OWASP TOP 10
The Open Web Application Security Project (OWASP)
OWASP TOP 10 2013
Lab: Environment Setup – Lab
Module 3: Threat Modeling & Risk Management
Threat Modeling Tools & Resources
Identify Threats
Identify Countermeasures
Choosing a Methodology
Post Threat Modeling
Analyzing and Managing Risk
Incremental Threat Modeling
Identify Security Requirements
Understand the System
Root Cause Analysis
Lab: Threat Modeling and Architecture Risk Analysis
Lab: Quick Threat Modeling (the Doctor use case)
Module 4: Application Mapping
Application Mapping
Web Spiders
Web Vulnerability Assessment
Discovering other content
Application Analysis
Application Security Toolbox
Setting up a Testing Environment
Lab: Web Application Mapping using Ethical Hacking Tools
Module 5: Authentication and Authorization attacks
Authentication
Different Types of Authentication (HTTP, Form)
Client Side Attacks
Authentication Attacks
Authorization
Modeling Authorization
Least Privilege
Access Control
Authorization Attacks
Access Control Attacks
User Management
Password Storage
User Names
Account Lockout
Passwords
Password Reset
Client-Side Security
Anti-Tampering Measures
Code Obfuscation
Anti-Debugging
Lab: Client Side, Authentication and Authorization Attacks
Module 6: Session Management attacks
Session Management Attacks
Session Hijacking
Session Fixation
Environment Configuration Attacks
Lab: Session Management, Access Controls and Configuration Attacks
Module 7: Application Logic attacks
Application Logic Attacks
Information Disclosure Exploits
Data Transmission Attacks
Lab: Application Logic, Information Disclosure and Data Transmission Attacks
Module 8: Data Validation
Input and Output Validation
Trust Boundaries
Common Data Validation Attacks
Data Validation Design
Validating Non-Textual Data
Validation Strategies & Tactics
Errors & Exception Handling
Structured Exception Handling
Designing for Failure
Designing Error Messages
Failing Securely
Lab: Cert Java Oracle Secure Coding IDS
Module 9: AJAX attacks
AJAX Attacks
Web Services Attacks
Application Server Attacks
Lab: AJAX, Web Services and Server Attacks
Module 10: Code Review and Security Testing
Insecure Code Discovery and Mitigation
Testing Methodology
Client Side Testing
Session Management Testing
Developing Security Testing Scripts
Pentesting a Web Application
Lab: Performing Code review and Building Security Test Scripts
Module 11: Web Application Penetration Testing
Insecure Code Discovery and Mitigation
Benefits of a Penetration Test
Current Problems in WAPT
Learning Attack Methods
Methods of Obtaining Information
Passive vs. Active Reconnaissance
Footprinting Defined
Introduction to Port Scanning
OS Fingerprinting
Web Application Penetration Methodologies
The Anatomy of a Web Application Attack
Fuzzers
Lab: Performing Web Application PenTesting steps
Module 12: Secure SDLC
Secure-Software Development Lifecycle (SDLC)
Methodology
Web Hacking Methodology
Lab: Case Study and Web Penetration Testing Assignment
Module 13: Cryptography
Overview of Cryptography
Key Management
Cryptography Application
True Random Generators (TRNG)
Symmetric/Asymmetric Cryptography
Digital Signatures and Certificates
Hashing Algorithms
XML Encryption and Digital Signatures
Authorization Attacks
Lab: Encryption in Secure Coding (Example for Java, PHP and .NET)
Appendix: Labs
Introduction & Instructions
Exercise 1: Logging into WebGoat
Exercise 2: Running WebScarab
Exercise 3: Manipulating Data
Appendix 1: Spoofing Authentication Cookies
Appendix 2: How to Perform Cross Site Scripting (XSS)
Appendix 3: Injection Flaws
Exercise 1: SQL Injection
Exercise 2: String SQL Injection
Exercise 3: String SQL Injection
Appendix 4: Improper Error Handling
Exercise 1 – Fail Open Authentication
Appendix 5: Parameter Tampering
Appendix 6: Denial of Service
Appendix 7: Writing Java Secure Code
Input Validation and Data Sanitization (IDS)
IDS00-J. Sanitize untrusted data passed across a trust boundary
Input Validation and Data Sanitization (IDS)
IDS02-J. Canonicalize path names before validating them
Input Validation and Data Sanitization (IDS)
IDS03-J. Do not log unsanitized user input
Input Validation and Data Sanitization (IDS)
IDS04-J. Safely extract files from ZipInputStream
Input Validation and Data Sanitization (IDS)
IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method
Agenda
1. Web Application Security
2. OWASP TOP 10
3. Threat Modeling & Risk Management
4. Application Mapping
5. Authentication and Authorization attacks
6. Session Management attacks
7. Application Logic attacks
8. Data Validation
9. AJAX attacks
10. Code Review and Security Testing
11. Web Application Penetration Testing
12. Secure SDLC
13. Cryptography
Appendix: Labs
Introduction & Instructions
1. Spoofing Authentication Cookies
2. How to Perform Cross Site Scripting (XSS)
3. Injection Flaws
4. Improper Error Handling
5. Parameter Tampering
6. Denial of Service
7. Writing Java Secure Code
Course Details
Module 1: Web Application Security
Web Application Security
Web Application Technologies and Architecture
Secure Design Architecture
Application Flaws and Defense Mechanisms
Defense In-Depth
Secure Coding Principles
Lab: Environment Setup – Lab
Module 2: OWASP TOP 10
The Open Web Application Security Project (OWASP)
OWASP TOP 10 2013
Lab: Environment Setup – Lab
Module 3: Threat Modeling & Risk Management
Threat Modeling Tools & Resources
Identify Threats
Identify Countermeasures
Choosing a Methodology
Post Threat Modeling
Analyzing and Managing Risk
Incremental Threat Modeling
Identify Security Requirements
Understand the System
Root Cause Analysis
Lab: Threat Modeling and Architecture Risk Analysis
Lab: Quick Threat Modeling (the Doctor use case)
Module 4: Application Mapping
Application Mapping
Web Spiders
Web Vulnerability Assessment
Discovering other content
Application Analysis
Application Security Toolbox
Setting up a Testing Environment
Lab: Web Application Mapping using Ethical Hacking Tools
Module 5: Authentication and Authorization attacks
Authentication
Different Types of Authentication (HTTP, Form)
Client Side Attacks
Authentication Attacks
Authorization
Modeling Authorization
Least Privilege
Access Control
Authorization Attacks
Access Control Attacks
User Management
Password Storage
User Names
Account Lockout
Passwords
Password Reset
Client-Side Security
Anti-Tampering Measures
Code Obfuscation
Anti-Debugging
Lab: Client Side, Authentication and Authorization Attacks
Module 6: Session Management attacks
Session Management Attacks
Session Hijacking
Session Fixation
Environment Configuration Attacks
Lab: Session Management, Access Controls and Configuration Attacks
Module 7: Application Logic attacks
Application Logic Attacks
Information Disclosure Exploits
Data Transmission Attacks
Lab: Application Logic, Information Disclosure and Data Transmission Attacks
Module 8: Data Validation
Input and Output Validation
Trust Boundaries
Common Data Validation Attacks
Data Validation Design
Validating Non-Textual Data
Validation Strategies & Tactics
Errors & Exception Handling
Structured Exception Handling
Designing for Failure
Designing Error Messages
Failing Securely
Lab: Cert Java Oracle Secure Coding IDS
Module 9: AJAX attacks
AJAX Attacks
Web Services Attacks
Application Server Attacks
Lab: AJAX, Web Services and Server Attacks
Module 10: Code Review and Security Testing
Insecure Code Discovery and Mitigation
Testing Methodology
Client Side Testing
Session Management Testing
Developing Security Testing Scripts
Pentesting a Web Application
Lab: Performing Code review and Building Security Test Scripts
Module 11: Web Application Penetration Testing
Insecure Code Discovery and Mitigation
Benefits of a Penetration Test
Current Problems in WAPT
Learning Attack Methods
Methods of Obtaining Information
Passive vs. Active Reconnaissance
Footprinting Defined
Introduction to Port Scanning
OS Fingerprinting
Web Application Penetration Methodologies
The Anatomy of a Web Application Attack
Fuzzers
Lab: Performing Web Application PenTesting steps
Module 12: Secure SDLC
Secure-Software Development Lifecycle (SDLC)
Methodology
Web Hacking Methodology
Lab: Case Study and Web Penetration Testing Assignment
Module 13: Cryptography
Overview of Cryptography
Key Management
Cryptography Application
True Random Generators (TRNG)
Symmetric/Asymmetric Cryptography
Digital Signatures and Certificates
Hashing Algorithms
XML Encryption and Digital Signatures
Authorization Attacks
Lab: Encryption in Secure Coding (Example for Java, PHP and .NET)
Appendix: Labs
Introduction & Instructions
Exercise 1: Logging into WebGoat
Exercise 2: Running WebScarab
Exercise 3: Manipulating Data
Appendix 1: Spoofing Authentication Cookies
Appendix 2: How to Perform Cross Site Scripting (XSS)
Appendix 3: Injection Flaws
Exercise 1: SQL Injection
Exercise 2: String SQL Injection
Exercise 3: String SQL Injection
Appendix 4: Improper Error Handling
Exercise 1 – Fail Open Authentication
Appendix 5: Parameter Tampering
Appendix 6: Denial of Service
Appendix 7: Writing Java Secure Code
Input Validation and Data Sanitization (IDS)
IDS00-J. Sanitize untrusted data passed across a trust boundary
Input Validation and Data Sanitization (IDS)
IDS02-J. Canonicalize path names before validating them
Input Validation and Data Sanitization (IDS)
IDS03-J. Do not log unsanitized user input
Input Validation and Data Sanitization (IDS)
IDS04-J. Safely extract files from ZipInputStream
Input Validation and Data Sanitization (IDS)
IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method
Audience
The Certified Secure Web Application Engineer Certification Course is designed for those have a background in web application development and want to have the skill set to make their applications secure. While not required, we recommend being familiar with general cyber security topics, including those taught in our C)ISSO: Information Systems Security Officer course.