Building and Testing Secure Web Applications

Revision: TE3406_20070313

(5.02 KB) View, Download, or Print Catalog as a PDF.

Course Length:

2 Days

Course Description:

The course starts with a module that demonstrates just how insecure most web applications are. It demonstrates how hackers are able to attack web applications, and what common vulnerabilities they exploit. The next modules detail specific security areas, discussing the foundational principles and best practices, and review code examples of design patterns for solutions.

Who Should Attend:

This course is for software and web application developers; Software, QA, and Security Testers; System and security administrators; Security engineers and managers; and individuals responsible for software requirements definition, procurement, or negotiations.

Benefits of Attendance:

Upon completion of this course, students will be able to:

• employ the security features involved with using HTTP (e.g., headers, cookies, SSL);
• apply application security design principles;
• identify and explain common web application security threats and implement mitigation techniques;
• handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, re-authentication, and timeouts;
• implement access control rules for the user interface, business logic, and data layers;
• recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input;
• understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability;
• implement a consistent error (exception) handling and logging approach for an entire web application;
• learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely;
• select and implement appropriate auditing/logging capabilities;
• understand the variety of denial of service attacks and the techniques that can be employed to reduce the likelihood of a successful denial of service attack;
• review their applications for common security vulnerabilities using code review and penetration testing techniques; and
• understand the factors involved in securing a Web Services capability

Prerequisites:

Students should have basic IT skills, including using Windows and a browser. Students should have some exposure to web software and come ready to test. Minimal programming experience is required.

Course Outline:

• Authentication
• Session Management
• Access Control
• Parameter Use
• Cross Site Scripting
• Buffer Overflows
• Input Validation
• Command Injection
• SQL Injection
• Using Databases Securely
• Error Handling
• Cryptography
• Using Services Securely
• Unnecessary and Malicious Code
• Thread Safety
• Denial of Service
• Privacy and Legislative Compliance
• Accountability and Logging
• Caching, Pooling, and Reuse
• Code Quality
• Establishing Application Security Policy
• Integrating Security into Your SDLC