Choose your language:

France
Germany
Hong Kong

India
Ireland
Japan
Malaysia
Netherlands
New Zealand

Singapore

Sweden
United Kingdom
United States
Course Code

SEC 114

Duration

2 Days

Web application vulnerabilities continue to place our global computing infrastructure at risk. In this course, participants will perform hands-on security testing on live web applications to find common vulnerabilities and will learn efficient and effective approaches for eliminating or avoiding these vulnerabilities in your web applications. Participants will learn how to diagnose all of the OWASP Top Ten web flaws, including Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery, Broken Authentication and Authorization, and much more.

The course is designed primarily for software developers and testers, but anyone with an interest in web application security will be able to use the tools provided and learn to find and diagnose holes in a real web application. Each participant receives a CD with an application security learning environment and a number of specialized tools. The course culminates with a fun three-stage challenge designed to drive home the key lessons from the training.

This course goes way beyond just finding and exploiting vulnerabilities. Participants will also learn about the security controls that developers can use to solve these issues. Understanding how security is supposed to work is the greatest tool you can possibly have for finding security problems.
This course is designed for:
  • Software Developers (any web environment) 
  • Software Testers 
  • Security Specialists 
  • Application Architects 
Upon completion of this course, participants will be able to:
  • Design, build, and test secure applications
  • Understand and be able to employ the security features involved with using HTTP(e.g., headers, cookies, SSL)
  • Understand and be able to apply application security design principles.
  • Identify and explain common web application security threats (e.g., Cross-Site Scripting, SQL Injection, Access Control Attacks, “Man-in-the-middle” attacks, etc.) and implement mitigation techniques.
  • Handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, re-authentication, and timeouts.
  • Implement access control rules for the user interface, business logic, and data layers.
  • Learn how Cross-Site Request Forgery attacks work, the serious damage they can cause, and easy defenses against this type of attack.
  • Implement simple, straightforward Cross-Site Scripting defenses through proper output encoding and how to detect XSS vulnerabilities throughout an application.
  • Understand how Clickjacking attacks work, and the security headers that can now be used to easily defend against them.
  • Understand the strong benefits of proper input validation, and how to architect an effective and easy to use input validation framework.
  • Understand the dangers of command injection and techniques for avoiding the introduction of this type of vulnerability.
  • Implement a consistent error (exception) handling and logging approach for an entire web application.
  • Apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.
  • Select and implement appropriate auditing/logging capabilities.
  • Avoid this issue with the use of automation.
  • Review their applications for common security vulnerabilities using code review and penetration testing techniques.
Introduction
Section Overview: This section describes and introduces the course and instructors. It also provides setup instructions for the course exercises.
a. Training Program Introduction
b. Course Objectives, Approach, and Layout
c. Intro to Aspect Security/Instructors
d. Participants Introduce Themselves
e. Discussion of Applicable Corporate Initiatives
f. Review of Course Agenda
g. Install and Setup Testing Environment

Understanding HTTP and Web Technologies
Section Overview: This section is intended to provide the foundations needed to understand the upcoming application security concepts. It begins by describing the HTTP protocol and how it relates to web applications. It dives into various aspects of the protocol, in detail, to assist in the understanding of the entire communication path from client request, server processing, server response, and browser interpretation. It then discusses how a hacker proxy can be used to modify HTTP requests and where this proxy fits into the big picture. Finally, we begin the first hands-on lesson which is intended to get the participants familiar with the hands-on application and comfortable using the testing proxy.
a) HTTP Protocol (Requests, Responses, Headers, Cookies, Parameters, Response Codes)
i. Security of GET vs. POST
ii. SSL and Certificates
iii. Man-in-the-Middle Threat
iv. HTTP Strict Transport Security
b) Introducing Test Application and Security Testing Proxy
i. WebGoat Overview
ii. ZAP Overview
c) Exercise and Labs
i. Hands-On Testing Exercise: WebGoat HTTP Basics
ii. Hands-On Testing Exercise: WebGoat and Proxy

How to Authenticate Users
Section Overview: This section includes common web authentication methods along with their strengths and weaknesses. It discusses best practices associated with authentication and uses hands-on lessons to demonstrate common authentication mistakes. Through this we discuss different technology specific authentication uses and configuration.
a) Overview
b) Authentication Mechanisms
c) Common Authentication Approaches
d) How to Protect Credentials from Disclosure
e) How to Protect Against Brute Force Attacks
f) How to Provide Password Management Functions
g) Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Basic Authentication

How to Manage User Sessions
Section Overview: This section includes what session management is and how it works within a web application environment. It discusses common mistakes developers make regarding session management and attacks that can take advantage of these errors. The section discusses best practices associated with session management and technology specific implementation approaches.
a) Introduction to HTTP Sessions
b) Explanation of Session Lifecycle (login, logout, reauthentication, timeouts)
c) How to Protect Against Session Hijacking
d) Exercise and Labs
i. Hands-On Testing Exercise: WebGoat – Authentication Cookies

How to Control Access
Section Overview: This section introduces Access Control in a web environment and the various complexities associated with implementing strong access protections. It walks through the importance of checking all access to sensitive functionality, defining application roles and functions, not relying only on presentation rendering, and implementing access controls at different level, including: declarative (URL), programmatic (API) and instance (data) level. Throughout the section, various technology specific access control uses are discussed and demonstrated. This section also includes common best practices associates with access control.
a) Overview
b) Defining & Architecting Your Access Control Policy
i. Authorization Primitives
ii. Defining an Access Control matrix
c) Presentation Layer Access Control
i. Single Role vs. Multi-Role Views
d) Environment Enforced Access Control
iii. Attack Surface
iv. Single Role vs. multi-Role URLs
v. Declarative Authorization
e) Business Layer Access Control
i. Programmatic Authorization
ii. Single Role vs. Multi-Role Business Functions
f) Data Layer Access Control
i. The Object Reference Problem
g) Exercise and Labs
i. Hands-On Testing Exercise: WebGoat – Access Control

How to Prevent Cross-Site Request Forgery (CSRF) Attacks
Section Overview: The section introduces a very common web application attack most developers aren’t familiar with known as Cross-Site Request Forgery. It explains how and why this attack works and the consequences of such attacks. It discusses the significance of these types of flaws and presents several approaches for how developers can defend their applications against this type of attack.
a) Overview of CSRF
i. What is CSRF
ii. CSRF Vulnerability Pattern
iii. The Same Origin Policy
b) How to Identify CSRF Flaws
i. Several Real World Examples
c) How to Protect Against CSRF
i. Misconceptions – Defenses That Don’t Work
ii. Recommended CSRF Defenses
iii. Protecting REST Interfaces Against CSRF
iv. Java and .Net Specific Defenses

How to Protect Against Cross-Site Scripting
Section Overview: The section covers in detail a very common web application attack known as Cross-Site Scripting (XSS). It explains how and why this attack works and the consequences of such attacks. It introduces and explains two types of XSS attacks (reflected and stored), demonstrates an attack, walks through various buggy code examples. And finally allow the participants to apply what they have learned by executing XSS attacks using hands-on lessons. Throughout the section different technology specific protections, including output encoding and input validation, are explored and discussed.
a) Overview of XSS
i. Types of XSS (Stored and Reflected)
ii. Tricking the Browser Sandbox
iii. Consequences of XSS
b) How to Solve XSS Problems
i. Output Encoding
ii. Input Validation
iii. Filters
iv. HTTP Only
v. Response Headers to Help Prevent XSS
c) Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Stored and Reflected XSS
ii. Hands-On Testing Exercise: WebGoat – HTTPOnly

How to Prevent Clickjacking Attacks
Section Overview: The section introduces another common web application attack most developers aren’t familiar with. It explains how and why allowing your content to be framed allows this attack to work and the consequences of such attacks. It discusses the significance of these types of flaws and presents several approaches for how developers can defend their applications against this type of attack.
a) Overview of Clickjacking
b) Clickjacking Defenses
i. Approach 1: Framebusting Code
ii. Approach 2: X-Frame-Options Header
iii. Approach 3: Content Security Policy (CSP)
c) Other Framing Threats
d) Exercises and Labs
i. Hands-On Demo: WebGoat – Clickjacking

How to Architect Input Validation Solutions
Section Overview: The section provides a basis for understanding the important of proper input validation. It walks through common design and implementation approaches to validate user input and discusses the strengths and weaknesses associated with each approach. It starts off with a focus on threats associated with unvalidated user input. It introduces and explains these threats, demonstrates the attacks, and allows participants to apply what they have learned by using hands-on lessons. Throughout the section different technology specific protections are explored and discussed as well as the best practices associated with quality attributes of proper input validation.
a) Introduction
i. Lack of Validation
ii. Hidden Fields
iii. Use of Positive Validation
iv. Regex’s
v. Unchecked Redirects and Forwards
b) How to Validate Outside Applications
c) How to Validate Within Applications
d) How to Respond to Input Validation Issues
e) Validating Data from other Sources
i. Safe File Uploads/Downloads
f) Exercises and Labs:
i. Spot the Bug(s): Input Validation Flaws
ii. Hands-On Testing Exercise: WebGoat – Hidden Fields
iii. Hands-On Testing Exercise: WebGoat – JavaScript

How to Protect Sensitive Data
Section Overview: This section discusses common cryptographic problems associated with web applications as well as caching of sensitive data. It demystifies and dispels the myth that crypto is extremely complex by walking through various simple and straightforward code examples. These code examples are technology specific and include examples of encrypting, decrypting, hashing, and the use of SSL. It also discusses other common flaws that can lead to the exposure of sensitive data.
a) Overview
b) How to Choose the Right Algorithm
c) How to Encrypt, Decrypt, Sign, and Hash
d) How to Avoid Replay Attacks
e) How to Use SSL Sockets
f) How to Protect Sensitive Data in Caches in Applications

How to Use Databases Securely
Section Overview: The section provides the material necessary to use a database securely. Threats related to securely connecting to a database, validating input, using SQL, handling errors and logging, and validating results are covered. Some architectural concerns are also discussed in terms of centralizing the security functions related to accessing a database securely.
a) Overview
b) How to Prevent SQL Injection
c) Protecting Database connection Strings (usernames/passwords)
d) Minimizing Privilege
e) How to Handle SQL Exceptions and Verify Results
f) Database Layer Access Control
g) Architectural Patterns for Database Security (DAO)
h) Exercises and Labs:
i) Hands-On Testing Exercise: WebGoat – SQL Injection

How to Handle Errors and Log Security Events
Section Overview: This section introduces the importance of proper error handling and security logging mechanisms for security critical events. Throughout the section technology specific logging APIs and error handling strategies will be introduces and discussed.
a) Overview
i. Example Real World Fail Opens
b) How to Configure Error Handling
c) Error Handling Best Practices
d) What Security Events to Log and What Data to Capture
e) Detecting and Responding to Attacks
i. OWASP AppSensor
f) Exercise and Labs:
i. Hands-On Testing Exercise: WebGoat – Fail Open Authentication Scheme

Avoiding the Use of Components with Known Vulnerabilities
Section Overview: This section introduces the importance keeping track of which versions of 3rd party and open source components are being used in a project, and keeping them up to date when new versions become available. Most updates to such components include security updates. Without updating, this introduces significant risk to your applications.
a) Overview
ii. A Huge Risk Most Dev Teams aren’t Dealing With
iii. The Proliferation in the Use of Open Source
iv. Serious Vulnerabilities in Open Source are Common
b) What Can You Do?
v. Automation Can Warn You When Your Components Are Out-of-date/Vulnerable
vi. Develop a Process For Updating Frequently

How to Access Services Securely
Section Overview: This section discusses security issues associated with external connections, and walks through various best practices. This section is used as a review of all the practices covered in the course thus far. Participants should realize that all the practices they’ve learned for protection of a web application should apply to an external connection as well.
a) A Pattern for using Services Securely
i. Vulnerability Examples
b) Applying the Pattern to Prevent Command Injection
c) Architecting Secure Service Access
d) Examples of How to Access Services Securely
e) Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – Command Injection

HTML5 Security
Section Overview: HTML5 is gaining in popularity and browser support. This section describes a number of security features introduced in HTML5 and how developers can take advantage of them to improve the security of their applications and/or leverage new HTML capabilities in a secure way.
a) What is HTML5
b) HTML5: Local Storage
i. Security Implications of Using IndexDB
c) HTML5: WebSockets
i. Using WebSockets Securely
d) Cross-Origin Resource Sharing (CORS)
i. CORS Preflight Requests
ii. CORS Security Risks

AppSec at DevOps Speed and Portfolio Scale
Section Overview: Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and DevOps. This section describes how development organizations can instrument their entire IT organization with passive sensors to collect real-time data that can be used to identify vulnerabilities, enhance security architecture, and enable application security activities to generate significant measureable value.
a) Comparison of AppSec to Healthcare
b) Traditional SDLC Approaches
c) Starting Over, at Portfolio Scale, and DevOps Speed
d) Example Sensors
i. Clickjacking
ii. Security Headers
iii. Access Control
iv. Known Vulnerable Components
v. CSRF
vi. Injection
vii. Architecture, Inventory, More …
e) Building Continuous AppSec Throughout Lifecycle
f) What Sensors Does Your Organization Need?
g) What Security Do You Expect vs. What Are You Actually Measuring?
h) Aligning Sensors with Business Concerns
i) Developing a Portfolio Wide Dashboard

References
a) Books
b) OWASP Resources
c) Microsoft Application Security Resources
d) Web Application Security Consortium Guidelines

The Challenge
Section Overview: The challenge section allows participants to step back, look at what they have learned and apply this knowledge by performing a final hack on the hands-on Challenge lesson. This lesson combines many of the vulnerabilities previously discussed into a single lesson (with multiple stages). This lesson doesn’t contain any hints, as do previous lessons. In previous lessons, hints are included to guide participants through each stage of an attack. While the instructor assists participants, this is the time to allow the participants to use their creativity and the knowledge they have gained from this course to successfully compromise the final lesson.
a) Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – Challenge Stage 1 – Break Authentication
ii. Hands-On Testing Exercise: WebGoat – Challenge Stage 2 – Steal the Credit Cards
iii. Hands-On Testing Exercise: WebGoat – Challenge Stage 3 – Deface the Web Site
Send Us a Message
First Name
*
Last Name
*
Company
*
Email
*
Address Line 1
*
Address Line 2
City
*
*
Zip Code
Telephone
*
*
Choose one
*
Comments