Secure Web Application Development

Secure Web Application Development

Audience

Web application designers, architects, developers and testers, IT, program and project managers as well as auditors assessing web application projects.

Prerequisites

Students should have a high-level understanding of software development principles and some experience in at least one web application development technology.

Duration

3 days.

Course Objectives

This course presents the processes required to build robust and secure web applications from the start and explains how to eliminate existing security bugs. Best practices for authentication, access control, data protection, attack prevention, error handling, and much more are included. Using the practical advice and real-world examples provided, you'll gain valuable secure software engineering skills. This course is not geared towards any particular platform or technology, but instead discusses the various underlying aspects and concepts encountered in each and any of them.

At the end of this course, delegates will be able to:

  • Describe the core processes to build secure web applications
  • Recognise common attack pattern, and how to protect against these
  • Use a wide range of best practices to develop secure web applications
  • Understand pattern and anti-pattern of secure web application development
  • Appreciate that security is an integral part of any system development life cycle and crucial to any successful web application project

Course Content

Web Application Security Basics

  • What is Untrusted Data?
  • HTTP Security Considerations
  • Anti-Pattern and Weaknesses
  • Security Controls and Positive Pattern
  • Input Validation

Authentication and Session Management

  • Registration of New Users
  • Login Process
  • Attacks Against Authentication
  • Secure Cookies
  • Credential Security
  • Multi-Factor Authentication
  • Federated Identity, SAML, OAuth et al

Access Control

  • Identity and Access Control
  • Anti-Pattern and Pattern
  • Role-Based Access Control
  • Multi-Tenancy
  • Contextual Access Control
  • Attribute-Based Access Control

Cross-Site Scripting (XSS) Defense

  • Content Spoofing
  • Reflected, Stored and DOM-Based XSS
  • Defending Against XSS
  • Input and HTML Validation and Sanitization
  • Output Encoding
  • Secure JSON Pattern jQuery and DOM XSS

Cross-Site Request Forgery (CSRF) Defense and Clickjacking

  • How Does CSRF Work?
  • Stored, Intranet, Network and Unauthenticated CSRF
  • How to Combat CSRF
  • Synchronizer Token and Challenge/Response Pattern
  • HTTP Request Referrer Header Verification
  • XSS Defense and CSRF Protection
  • Clickjacking
  • How to Combat Clickjacking

Protecting Sensitive Data

  • Securing Data in Transit
  • Protocol Versions and Cipher Suites
  • Certificates and Trust Managers
  • Securing Data at Rest
  • Encryption and Signing
  • Key Management
  • Secure Random Numbers

SQL Injection and Other Injection Attacks

  • What is SQL Injection?
  • Query Parameterization
  • Stored Procedures
  • Defense in Depth
  • Input Validation and Type Safety
  • Access Control
  • Relational Mapping and ORMs
  • XML, JSON and Command Injections

Safe File Upload and File I/O

  • Anti-Pattern and Design Flaws
  • File Path and Null Byte Injections
  • File I/O Resource Management
  • File Upload Security
  • Attack Pattern
  • Dangerous Content, Overwrites and Quota Overload DoS
  • Processing zip, rar and other Archives
  • Positive Pattern

Logging, Error Handling, and Intrusion Detection

  • Logging Basics
  • What to Log, What Not
  • Logging Frameworks for Security
  • Safe Error Handling
  • App Layer Intrusion Detection
  • Defending Against Automated Attacks
  • OWASP AppSensor

Secure Software Development Lifecycle

  • Averting Disaster Before it Starts
  • Team Roles for Security
  • Security Throughout the Application Life Cycle
  • Security in the Software Development Life Cycle
  • Business and Technical Security Requirements
  • Implementing Security Controls
  • Testing Security Controls
  • Monitoring and Incident Response

Virtual Courses

ALL of our courses can be delivered virtually. And our Bath public schedule of courses are now available as live virtual sessions, using the popular Zoom Virtual Classroom and remote labs. Delegates can test their access at: www.zoom.us/test

On-Site Courses

Can't attend one of our public classes? Booking for multiple people?

All our courses are available on your site! Delivered for your staff, at your premises.

Contact us to find out more...