WEBAP - Web Application Security Training Course
Description:
This course will give the participants thorough understanding about security concepts, web application concepts and frameworks used by developers in order to be able to exploit and protect targeted application. In today’s world, that is changing rapidly and thus all the technologies used are also changed at a fast pace, web applications are exposed to hackers attacks 24/7. In order to protect the applications from external attackers one has to know all the bits and pieces that makes the web application, like frameworks, languages and technologies used in web application development, and much more than that. The problem is that attacker has to know only one way to break into the application and developer (or systems administrator) has to know all the possible exploits in order to prevent this from happening. Because of that it is really difficult to have a bullet proof secured web application, and in most of the cases web application is vulnerable to something. This is regularly exploited by cyber criminals and casual hackers, and it can be minimized by correct planning, development, web application testing and configuration.
Objectives:
To give you the skill and knowledge needed to understand and identify possible exploits in live web applications, and to exploit identified vulnerabilities. Because of the knowledge gained through the identification and exploitation phase, you should be able to protect the web application against similar attacks. After this course the participant will be able to understand and identify OWASP top 10 vulnerabilities and to incorporate that knowledge in web application protection scheme.
Audience:
Developers, Police and other law enforcement personnel, Defense and Military personnel, e-Business Security professionals, Systems administrators, Banking, Insurance and other professionals, Government agencies, IT managers, CISO’s, CTO’s.
Course Outline
Module 1: Security concepts
Module 2: Risk management
Module 3: Hackers attack phases
Module 4: Penetration testing
Module 5: Networking MitM attacks
Module 6: Overview of web technologies and frameworks
Module 7: Tools of the trade
Module 8: Bypassing client side controls
Module 9: Authentication attacks
Module 10: Design/implementation flaws
Module 11: Web application attacks: Injection (A1)
Module 12: Web application attacks: XSS/CSRF (A3/A8)
Module 13: Web application attacks: Broken authentication and session management (A2)
Module 14: Web application attacks: Insecure direct object references/Missing function level access control (A4/A7)
Module 15: Web application attacks: Security mis-configuration/Sensitive data exposure (A5/A6)
Module 16: Web application attacks: Unvalidated redirect and forwards (A10)
Module 17: Logical flaws
Open Training Courses require 5+ participants.
WEBAP - Web Application Security Training Course - Booking
WEBAP - Web Application Security Training Course - Enquiry
WEBAP - Web Application Security - Consultancy Enquiry
Consultancy Enquiry
Testimonials (1)
Acceptance and cooperation of the coach to give the best thing
Nayef Hamouda - PSO
Course - WEBAP - Web Application Security
Upcoming Courses
Related Courses
Android Security
14 HoursAndroid is an open platform for mobile devices such as handsets and tablets. It has a large variety of security features to make developing secure software easier; however, it is also missing certain security aspects that are present in other hand-held platforms. The course gives a comprehensive overview of these features, and points out the most critical shortcomings to be aware of related to the underlying Linux, the file system and the environment in general, as well as regarding using permissions and other Android software development components.
Typical security pitfalls and vulnerabilities are described both for native code and Java applications, along with recommendations and best practices to avoid and mitigate them. In many cases discussed issues are supported with real-life examples and case studies. Finally, we give a brief overview on how to use security testing tools to reveal any security relevant programming bugs.
Participants attending this course will
- Understand basic concepts of security, IT security and secure coding
- Learn the security solutions on Android
- Learn to use various security features of the Android platform
- Get information about some recent vulnerabilities in Java on Android
- Learn about typical coding mistakes and how to avoid them
- Get understanding on native code vulnerabilities on Android
- Realize the severe consequences of unsecure buffer handling in native code
- Understand the architectural protection techniques and their weaknesses
- Get sources and further readings on secure coding practices
Audience
Professionals
Network Security and Secure Communication
21 HoursImplementing a secure networked application can be difficult, even for developers who may have used various cryptographic building blocks (such as encryption and digital signatures) beforehand. In order to make the participants understand the role and usage of these cryptographic primitives, first a solid foundation on the main requirements of secure communication – secure acknowledgement, integrity, confidentiality, remote identification and anonymity – is given, while also presenting the typical problems that may damage these requirements along with real-world solutions.
As a critical aspect of network security is cryptography, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement are also discussed. Instead of presenting an in-depth mathematical background, these elements are discussed from a developer's perspective, showing typical use-case examples and practical considerations related to the use of crypto, such as public key infrastructures. Security protocols in many areas of secure communication are introduced, with an in-depth discussion on the most widely-used protocol families such as IPSEC and SSL/TLS.
Typical crypto vulnerabilities are discussed both related to certain crypto algorithms and cryptographic protocols, such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE and similar, as well as the RSA timing attack. In each case, the practical considerations and potential consequences are described for each problem, again, without going into deep mathematical details.
Finally, as XML technology is central for data exchange by networked applications, the security aspects of XML are described. This includes the usage of XML within web services and SOAP messages alongside protection measures such as XML signature and XML encryption – as well as weaknesses in those protection measures and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection.
Participants attending this course will
- Understand basic concepts of security, IT security and secure coding
- Understand the requirements of secure communication
- Learn about network attacks and defenses at different OSI layers
- Have a practical understanding of cryptography
- Understand essential security protocols
- Understand some recent attacks against cryptosystems
- Get information about some recent related vulnerabilities
- Understand security concepts of Web services
- Get sources and further readings on secure coding practices
Audience
Developers, Professionals
C/C++ Secure Coding
21 HoursThis three day course covers the basics of securing the C/C++ code against the malicious users who may exploit many vulnerabilities in the code with memory management and input handling, the course cover the principals of writing secure code.
Advanced Java Security
21 HoursEven experienced Java programmers are not mastering by all means the various security services offered by Java, and are likewise not aware of the different vulnerabilities that are relevant for web applications written in Java.
The course – besides introducing security components of Standard Java Edition – deals with security issues of Java Enterprise Edition (JEE) and web services. Discussion of specific services is preceded with the foundations of cryptography and secure communication. Various exercises deal with declarative and programmatic security techniques in JEE, while both transport-layer and end-to-end security of web services is discussed. The use of all components is presented through several practical exercises, where participants can try out the discussed APIs and tools for themselves.
The course also goes through and explains the most frequent and severe programming flaws of the Java language and platform and web-related vulnerabilities. Besides the typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques.
Participants attending this course will
- Understand basic concepts of security, IT security and secure coding
- Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
- Understand security concepts of Web services
- Learn to use various security features of the Java development environment
- Have a practical understanding of cryptography
- Understand security solutions of Java EE
- Learn about typical coding mistakes and how to avoid them
- Get information about some recent vulnerabilities in the Java framework
- Get practical knowledge in using security testing tools
- Get sources and further readings on secure coding practices
Audience
Developers
Standard Java Security
14 HoursDescription
The Java language and the Runtime Environment (JRE) was designed to be free from the most problematic common security vulnerabilities experienced in other languages, like C/C++. Yet, software developers and architects should not only know how to use the various security features of the Java environment (positive security), but should also be aware of the numerous vulnerabilities that are still relevant for Java development (negative security).
The introduction of security services is preceded with a brief overview of the foundations of cryptography, providing a common baseline for understanding the purpose and the operation of the applicable components. The use of these components is presented through several practical exercises, where participants can try out the discussed APIs for themselves.
The course also goes through and explains the most frequent and severe programming flaws of the Java language and platform, covering both the typical bugs committed by Java programmers and the language- and environment-specific issues. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques.
Participants attending this course will
- Understand basic concepts of security, IT security and secure coding
- Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
- Learn to use various security features of the Java development environment
- Have a practical understanding of cryptography
- Learn about typical coding mistakes and how to avoid them
- Get information about some recent vulnerabilities in the Java framework
- Get sources and further readings on secure coding practices
Audience
Developers
.NET, C# and ASP.NET Security Development
14 HoursA number of programming languages are available today to compile code to .NET and ASP.NET frameworks. The environment provides powerful means for security development, but developers should know how to apply the architecture- and coding-level programming techniques in order to implement the desired security functionality and avoid vulnerabilities or limit their exploitation.
The aim of this course is to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more.
Introduction of different vulnerabilities starts with presenting some typical programming problems committed when using .NET, while the discussion of vulnerabilities of the ASP.NET also deals with various environment settings and their effects. Finally, the topic of ASP.NET-specific vulnerabilities not only deals with some general web application security challenges, but also with special issues and attack methods like attacking the ViewState, or the string termination attacks.
Participants attending this course will
- Understand basic concepts of security, IT security and secure coding
- Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
- Learn to use various security features of the .NET development environment
- Get practical knowledge in using security testing tools
- Learn about typical coding mistakes and how to avoid them
- Get information about some recent vulnerabilities in .NET and ASP.NET
- Get sources and further readings on secure coding practices
Audience
Developers
The Secure Coding Landscape
14 HoursThe course introduces some common security concepts, gives an overview about the nature of the vulnerabilities regardless of the used programming languages and platforms, and explains how to handle the risks that apply regarding software security in the various phases of the software development lifecycle. Without going deeply into technical details, it highlights some of the most interesting and most aching vulnerabilities in various software development technologies, and presents the challenges of security testing, along with some techniques and tools that one can apply to find any existing problems in their code.
Participants attending this course will
- Understand basic concepts of security, IT security and secure coding
- Understand Web vulnerabilities both on server and client side
- Realize the severe consequences of unsecure buffer handling
- Be informated about some recent vulnerabilities in development environments and frameworks
- Learn about typical coding mistakes and how to avoid them
- Understand security testing approaches and methodologies
Audience
Managers