Home

Advanced Web Application Security Training

Training Description:

Web applications are integral parts of many enterprise applications. While they provide a convenient mechanism for organizations to render their services in a customer convenient manner, they are often the targets for abuse. Effects of such abuses can often be devastating and costly to recover from. Hence, all non-trivial web applications should be developed, tested, selected, evaluated, bought, deployed and operated with sufficient security controls.

This advanced training on web application security distinguishes threats, vulnerabilities and attacks. Each threat, vulnerability and attack is looked at in detail and countermeasures are identified. Some topics are highlighted for their increased relevance or the need for greater explanation.

The training brings in threat risk modeling to make sure security investments are made at appropriate times and at appropriate amounts so that no money will be wasted on security measures unnecessarily and in unacceptable quantities.

The participants will also get exposed to a well accepted application security process and a set of principles they can follow in their organizations. A maturity model will also be introduced with which organizations can benchmark their security assurance efforts.

Training Objectives:

At the end of the training, participants will be able to
  1. Audit and evaluate the security of web applications.
  2. Create a threat risk model for a given web application.
  3. Identify the degree to which a given web application should be secured.
  4. Recommend security improvement areas of a given web application.
  5. Classify, list and describe the known threats, vulnerabilities, attacks and countermeasures as applicable for web applications.
  6. Describe application security principles that organizations should customize and adhere to.
  7. Describe at a high level a security process (CLASP) and a maturity model (SAMM).
  8. Implement web applications with high security (Applicable for developers).
  9. Deploy and administrate web applications with tight security controls (Applicable for deployers and administrators).

Target Groups:

  1. Web application security auditing and technical evaluation staff
  2. Information system threat modelers
  3. Web application developers
  4. Web application deployment staff
  5. Administrators of web based systems
  6. Read "Do I fit for that training?" if you are interested, but need help to determine whether you should participate or not.

Prerequisites:

  1. Participants should have the general understanding of the World Wide Web and the Internet.
  2. Though not necessarily required, prior knowledge on HTML and HTTP will be an advantage.
  3. Though not necessarily required, prior experience in writing web applications will be an advantage.
  4. Though not necessarily required, prior familiarity with auditing and evaluating information systems will be an advantage.

Communication Language:

English

Duration:

4 days (32 hours)

Facilitator:

Kamal Wickramanayake (Profile)

Notes:

  1. The training is done with hands-on lab exercises where participants will test, evaluate and correct a number of threat, vulnerability and attack scenarios as applicable to web applications.
  2. While there will be many topics related to web application development, participants should not consider this training an opportunity to learn how to write web applications in general. This training specifically focuses on the security.
  3. What is taught during the training is applicable for web applications implemented in any programming language or platform. However, only to demonstrate many of the web application vulnerabilities, code snippets implemented in PHP language will be used. PHP is an easily understood scripting language and is in wide used. If requested, Java code (JSP/Servlet or even Struts/Tiles and JSF) can alternatively be used if the participants are familiar with those technologies.

Training Content:

  1. Introduction
    • The landscape of web application security
    • The need for specifically dealing the security of web applications
    • Terminology (threats, vulnerabilities, attacks, countermeasures)
  2. Threats
    • Threat classification
    • Details of many (10+) known threats and countermeasures (not listed for brevity)
  3. Vulnerabilities
    • Vulnerability classification
    • Details of many (20+) known vulnerabilities and countermeasures (not listed for brevity)
  4. Attacks
    • Attack classification
    • Details of many (10+) known attacks and countermeasures (not listed for brevity)
  5. Special Topics
    • Effectiveness of phishing and pharming countermeasures
    • Threat of search engines
    • Security challenges of Web services
    • AJAX and other rich interface technologies
    • User visible design flaws
    • Secure coding principles
    • Evaluating firewalls
    • Contracting for secure software
    • In-house and outsourced software development
  6. Threat Risk Modeling
    • Overview of threat modeling
    • What is threat risk modeling and why?
    • Performing threat risk modeling
    • Characterizing threats with STRIDE
    • Quantifying, comparing and prioritizing risks with DREAD
  7. Security Process
    • Application security principles
    • Overview of Comprehensive, Lightweight Application Security Process (CLASP)
    • Overview of Security Assurance Maturity Model (SAMM)
    • Food for thought for security auditors
  8. Tools
    • Many freely available purpose built and ad hoc tools will be introduced to automate testing and improve efficiency.

Trainings over the Internet