Applications Security Foundation

• Knowledge of a Programming language (JAVA, .NET, PHP).
• Knowledge of Web technology.
• Knowledge of Database Management Systems. (Oracle, MySQL, MSSQL)

This course covers the secure coding essential topics that are relevant to a large number of web application developers. It will teach students concepts of secure programming and involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for that flaw.

In this course you will watch demos of real word attacks and how to prevent them, and gain confidence in the journey to improving the security of your applications.

Duration: 3 days
Who Should Attend: Developers looking to extend their knowledge in secure coding.

Upon Completion
• Students will get knowledge in:
• Web Application Security.
• Common Web Application Risks.
• Demo Web Application Penetration
• Data Validation
• Authentication.
• Session Management.
• Secure SDLC.

Module 1: Introduction to Software Security
• Course overview.
• Course objectives.
• Introduction.
• Why care about software security.
• Application threats.
• Common vulnerabilities.
• Definitions of software security.
• Secure coding fundamentals.

Module 2: Common Web Application Risks (OWASP Top 10)

• A1 - Injection.
1. SQL Injection.
2. OS/Command Injection.
3. LDAP Injection.

• A2 - Broken Authentication and Session Management.
1. A3 - Cross-Site Scripting (XSS).
2. A4 - Insecure Direct Object References.
3. A5 - Security Misconfiguration.
4. A6 - Sensitive Data Exposure.
5. Data at Rest.
6. Data in Transit.
7. A7 - Missing Function Level Access Control.

Module 3: Demo Web Application Penetration
• Videos.
• Vulnerability penetration demo.

Module 4: Data Validation
• Input validation.
• Server vs. Client side validation.
• Whitelisting vs. blacklisting
• Output encoding and escaping
• Parameterized queries
• Using frameworks and APIs
• Microsoft Web Protection Library
• Java Regex.
• OWASP ESAPI validators.

Module 5: Authentication
• Basic vs. forms based Authentication.
• Authentication Policies.
• Authorization and permissions.

Module 6: Session Management
• Protecting session IDs.
• Session Hijacking.
• Session Fixation.

Module 7: Secure SDLC
• Overview.
• Secure software development lifecycle.
• A Secure Process.
• Manager’s point of view.
• Developer’s point of view.
• Consumer expectations.
• Business responsibility.
• Phases of development lifecycle.