OWASP Web Security Testing Guide

Prerequisites:

• A general understanding of web development lifecycle
• Experience in web application development, security, and testing

Audience

• Developers
• Engineers
• Architects

Overview:

The Web Security Testing Guide (WSTG) is a community-led, open-source testing resource that provides a comprehensive framework in performing security testing for web applications and services. The Open Web Application Security Project (OWASP) Foundation and its online community continuously develop the WSTG.

This instructor-led, live training (online or onsite) is aimed at developers, engineers, and architects who wish to apply the WSTG testing framework, principles, and techniques to secure their web applications and services.

By the end of this training, participants will be able to:

• Use the WSTG to implement testing processes and techniques in the web development lifecycle.
• Explore different testing techniques to customize the WSTG framework based on business needs.
• Perform various security testing methods to protect web applications from risks and attacks.
• Create an assessment report to document security testing findings and results.

Format of the Course

• Interactive lecture and discussion.
• Lots of exercises and practice.
• Hands-on implementation in a live-lab environment.

Course Customization Options

• To request a customized training for this course, please contact us to arrange.

Course Outline:

Introduction

Overview of Web Security Testing Guide

• The OWASP Testing Project
• Tailoring and prioritizing for organizations
• Testing principles and techniques
• Security testing objectives and requirements

Exploring Various Testing Techniques

• Manual inspections and reviews
• Threat modeling
• Source code review
• Penetration testing
• Security test integration and data analysis

Understanding the OWASP Testing Framework

• Activities from development to deployment
• Maintenance and operations
• Lifecycle end-to-end testing framework and workflow
• Penetration testing methodologies

Performing Web Application Security Testing

• Information gathering
• Configuration and deployment management testing
• Identity management testing
• Authentication and authorization testing
• Session management testing
• Input validation testing
• Testing for error handling
• Testing for weak cryptography
• Business logic testing
• Client-side testing
• API testing

Reporting the Testing Assessment and Results

• Introduction section
• Executive summary
• Findings section
• Appendices

Getting Involved in the Web Security Testing Guide

• Referencing and linking WSTG scenarios
• Code of conduct
• Contribution guide
• Feature requests and feedback

Summary and Conclusion