Security experts agree that the least effective approach to security is “penetrate and patch”. It is far more effective to “bake” security into an application throughout its lifecycle. After spending significant time examining a poorly designed (from a security perspective) web application, developers are ready to learn how to build secure web applications starting at project inception. The final portion of this course builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications from the beginning of the software lifecycle.
Secure Web Application Development a seminar style course designed for web developers and technical stakeholders who need to produce secure web applications. They will thoroughly examine best practices for defensively coding web applications, covering all the 2021 OWASP Top Ten as well as several additional prominent vulnerabilities (such as file uploads and handling untrusted free-form text). Our web app security expert will share how to integrate security measures into the development process. You will also explore core concepts and challenges in web application security, showcasing real world examples that illustrate the potential consequences of not following these best practices.
Student Testimonials
Instructor did a great job, from experience this subject can be a bit dry to teach but he was able to keep it very engaging and made it much easier to focus.
Student
Excellent presentation skills, subject matter knowledge, and command of the environment.
Student
Instructor was outstanding. Knowledgeable, presented well, and class timing was perfect.
Student
Click here to print this page »
Prerequisites
Real-world programming experience is highly recommended for code reviews, but not required.
Detailed Class Syllabus
Session: Bug Hunting Foundation
Lesson: Why Hunt Bugs?
The Language of Cybersecurity
The Changing Cybersecurity Landscape
AppSec Dissection of SolarWinds
The Human Perimeter
Interpreting the 2021 Verizon Data Breach Investigation Report
First Axiom in Web Application Security Analysis
First Axiom in Addressing ALL Security Concerns
Lab: Case Study in Failure
Lesson: Safe and Appropriate Bug Hunting/Hacking
Working Ethically
Respecting Privacy
Bug/Defect Notification
Bug Bounty Programs
Bug Hunting Mistakes to Avoid
Session: Moving Forward From Hunting Bugs
Lesson: Removing Bugs
Open Web Application Security Project (OWASP)
OWASP Top Ten Overview
Web Application Security Consortium (WASC)
CERT Secure Coding Standards
Microsoft Security Response Center
Software-Specific Threat Intelligence
Session: Foundation for Securing Web Applications
Lesson: Principles of Information Security
Security is a Lifecycle Issue
Minimize Attack Surface Area
Layers of Defense: Tenacious D
Compartmentalize
Consider All Application States
Do NOT Trust the Untrusted
AppSec Dissection of the Verkada Exploit
Session: Bug Stomping 101
Lesson: Unvalidated Data
Buffer Overflows
Integer Arithmetic Vulnerabilities
Defining and Defending Trust Boundaries
Rigorous., Positive Specifications
Whitelisting vs Blacklisting
Challenges: Free-Form Text, Email Addresses, and Uploaded Files
Lesson: A01: Broken Access Control
Elevation of Privileges
Insufficient Flow Control
Unprotected URL/Resource Access/Forceful Browsing
Metadata Manipulation (JWTs)
CORS Misconfiguration Issues
Cross Site Request Forgeries (CSRF)
CSRF Defenses
Lab: Spotlight: Verizon
Lesson: A02: Cryptographic Failures
Identifying Protection Needs
Evolving Privacy Considerations
Options for Protecting Data
Transport/Message Level Security
Weak Cryptographic Processing
Keys and Key Management
NIST Recommendations
Lesson: A03: Injection
Injection Flaws
SQL Injection Attacks Evolve
Drill Down on Stored Procedures
Other Forms of Server-Side Injection
Minimizing Injection Flaws
Client-side Injection: XSS
Persistent, Reflective, and DOM-Based XSS
Best Practices for Untrusted Data
Lesson: A04: Insecure Design
Secure Software Development Processes
Shifting Left
Cost of Continually Reinventing
Leveraging Common AppSec Practices and Control
Paralysis by Analysis
Actionable Application Security
Additional Tools for the Toolbox
Lab: Actionable AppSec
Lesson: A05: Security Misconfiguration
System Hardening
Risks with Internet-Connected Resources (Servers to Cloud)
Minimalist Configurations
Application Whitelisting
Secure Baseline
Segmentation with Containers and Cloud
Demo / Lab: Configuration Guidance
Resolution of External References
Safe XML Processing
Session: Bug Stomping 102
Lesson: A06: Vulnerable and Outdated Components
Vulnerable Components
Software Inventory
Managing Updates: Balancing Risk and Timeliness
AppSec Dissection of Ongoing Microsoft Exchange Exploits
Lab: Spotlight: Equifax
Lesson: A07: Identification and Authentication Failures
Quality and Protection of Authentication Data
Proper hashing of passwords
Handling Passwords on Server Side
Session Management
HttpOnly and Security Headers
Lesson: A08: Software and Data Integrity Failures
Serialization / Deserialization
Issues with Consuming Vulnerable Software
Using Trusted Repositories
CI/CD Pipeline Issues
Protecting Software Development Resources
Lesson: A09: Security Logging and Monitoring Failures
Detecting Threats and Active Attacks
Best Practices for Determining What to Log
Safe Logging in Support of Forensics
Lab: Auditing and Logging Guidance
Lesson: A10: Server-Side Request Forgery (SSRF)
Understanding SSRF
Remote Resource Access Scenarios
Complexity of Cloud Services
SSRF Defense in Depth
Positive Allow Lists
Session: Moving Forward
Lesson: Applications: What Next?
Common Vulnerabilities and Exposure
CWE/SANS Top 25 Most Dangerous SW Errors
Strength Training: Project Teams/Developers
Strength Training: IT Organizations
Lab: Spotlight: Capital One
Additional Topics: Time Permitting
Lesson: SDL Overview
Attack Phases: Offensive Actions and Defensive Controls
Secure Software Development Processes
Shifting Left
Actionable Items Moving Forward
Lesson: SDL in Action
Risk Escalators
Risk Escalator Mitigation
SDL Phases
Actions for each SDL Phase
SDL Best Practices