Description
The design and implementation of secure Web Applications is a huge challenge that requires significant expertise in programming, web application development, and IT Security. This course is designed exclusively for experienced web-application developers to empower them to develop secure web applications by illuminating the most common serious vulnerabilities and how to avoid them.
Audience
Experienced Java, C#, and PHP web-application developers seeking to understand and avoid introducing common security vulnerabilities into their designs and applications.
Duration
3 Days
Objectives
- Be familiar with common web application security vulnerabilities
- Understand how security vulnerabilities can be introduced into web applications
- Understand how to properly validate Untrusted Input
- Understand the purpose and benefits of Data Sanitization
- Be familiar with the Input Validator and Sanitizer Design Patterns
- Be prepared to avoid SQL Injection Vulnerabilities
- Be prepared to avoid Cross-Site Scripting (XSS) Vulnerabilities
- Be prepared to avoid Authentication and Session Vulnerabilities
- Be better prepared to test web application security
Setup
- A Web Application Server Environment, such as:
- Java 2 Standard Edition (J2EE)
- Microsoft C# .NET Studio
- Apache and PHP
- A Web Browser and Proxy, such as:
- Firefox
- TamperData
- A Database Management System, such as:
- Apache Derby
- SQL Server Express
Text
- Course Workbook
Prerequisites
- Application Security and the SDLC
- A solid understanding of either Java and JSPs, OR C# .NET and ASPs, OR PHP
Outline
Topic 1: Introduction
- Welcome
- Motivation
- Course Objectives
- Course Overview
- The Software Development Lifecycle (SDLC)
- Security in the SDLC
- The Importance of Security Requirements
- Application Security in Context
- Lab Exercise: Requiring Security
- Quiz
Topic 2: Preventing Malformed Input
- Validating Untrusted Input
- Handling Unexpected Input
- Validating Input Data
- Input Validator Design Pattern
- What is a Regular Expression ?
- Regular Expressions: Example
- More Regular Expressions
- More Regular Expression Examples
- Lab Exercise: Input Validation
- Quiz
Topic 3: Preventing Injection Attacks
- What is an Injection Attack ?
- Preventing Injection Attacks
- Validating Untrusted Input
- Syntactic Validation
- Logical Validation
- Data Encoding
- Client Side Data Validation
- Server Side Data Validation
- Where to Validate
- Handling Unexpected Input
- Example: Using Tamper Data
- Lab Exercise: Injection Rejection
- Quiz
Topic 4: Preventing XSS
- What is Cross-site Scripting ?
- Example: Cross-site Scripting
- Exploiting XSS Vulnerabilities
- Case Study: But I don’t Like Spam
- Preventing Cross-site Scripting
- Preventing XSS in HTML Body
- Preventing XSS in HTML Attributes
- Preventing XSS in Javascript Data Values
- Example: A Simple Encoder
- Example: Encoding at Work
- Lab Exercise: Injection Rejection
- Quiz
Topic 5: Preventing SQL Injection
- What is SQL Injection ?
- Case Study: I Still Don’t Like Spam
- Preventing SQL Injection
- Prepared Statements
- Lab Exercise: Injection Rejection
- Quiz
Topic 6: Preventing Command Injection
- What is Command Injection ?
- Case Study: Do the Math
- Preventing Command Injection
- Other Injection Attacks
- Preventing Direct Object References
- Preventing Format String Attacks
- Summary of Special Characters
- Encoding Special Characters
- Lab Exercise: No, You do the Math
- Quiz
Topic 7: Preventing Other Vulnerabilities
- How Do You Prevent… ?
- Lab Exercise: What’s in Your Wallet ?
- Quiz
Topic 8: Miscellaneous Topics
- Application Security in Perspective
- Security Manager Design Pattern
- Avoiding Common Vulnerabilities
- Security in the SDLC
- The Security Design Review
- The OWASP ESAPI
Appendix Developing Secure Mobile Applications
Appendix Summary of Special Characters
Appendix Quiz Answers
Register
For more information or to register for this training course, call 1-800-840-2335 or contact us on our website.