Web Application Security

• An understanding of basic web application architecture
• Experience with a programming language such as Java, C#, PHP, or JavaScript
• Familiarity with client-server communication and HTTP

Audience

• Developers
• Web application architects
• Security-conscious technical teams

Web Application Security is the discipline of protecting online applications from modern security threats and vulnerabilities, including those that are platform-agnostic and affect core application architecture and input handling.

This instructor-led, live training (online or onsite) is aimed at intermediate-level developers who wish to understand and apply secure coding techniques to mitigate web vulnerabilities and implement robust web application security.

By the end of this training, participants will be able to:

• Understand basic concepts of security, IT security and secure coding.
• Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them.
• Learn client-side vulnerabilities and secure coding practices.
• Have a practical understanding of cryptography.
• Understand security concepts of Web services.
• Get practical knowledge in using security testing tools.
• Get sources and further readings on secure coding practices.

Format of the Course

• Interactive lecture and discussion.
• Lots of exercises and practice.
• Hands-on implementation in a live-lab environment.

Course Customization Options

• To request a customized training for this course, please contact us to arrange.

IT Security and Secure Coding

• Overview of information security principles
• CIA triad: Confidentiality, Integrity, Availability
• Common threats and threat modeling
• Best practices for secure software development lifecycle (SSDLC)

Web Application Security

• Understanding OWASP Top Ten and beyond
• Authentication and session management flaws
• Injection vulnerabilities (SQL, Command, LDAP, etc.)
• Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)

Client-Side Security

• DOM-based attacks and JavaScript-specific risks
• Insecure use of AJAX and browser storage
• Clickjacking and UI redressing
• Content Security Policy (CSP) implementation

Practical Cryptography

• Basic concepts: hashing, encryption, digital signatures
• Public key vs. symmetric key cryptography
• Transport Layer Security (TLS) basics
• Key management and common crypto mistakes

Security of Web Services

• SOAP and REST security considerations
• Authentication mechanisms: OAuth, JWT, API keys
• Common web service attacks and defenses
• Input validation in service payloads

XML Security

• XML injection and parsing attacks
• Entity expansion and XXE vulnerabilities
• Secure parsing techniques and libraries
• Using XML Security standards (XML-DSig, XML-Enc)

Knowledge Sources and Security Tools

• Recommended tools for security testing (e.g., OWASP ZAP, Burp Suite)
• Code scanning and analysis tools
• Online resources and security guidelines
• How to stay updated with emerging threats

Summary and Next Steps