- Basic Programming Knowledge: Participants should have a basic understanding of programming concepts and experience in at least one programming language.
- Familiarity with Web Development: Prior knowledge of web development concepts (HTML, CSS, JavaScript) will be beneficial for discussions on web application security.
- Understanding of Software Development: Familiarity with software development practices and the software development lifecycle is recommended to contextualize security measures.
- Security Fundamentals: Participants should have a general understanding of information security concepts, including common threats and vulnerabilities.
- Web Application Basics: Basic understanding of how web applications work, including client-server interactions and HTTP protocols.
- Command Line Proficiency: Some labs may require basic command line navigation and commands.
Day 1:
Morning Session:
1. Introduction to OWASP and Secure Software Development
Overview of OWASP and its significance in software security
Understanding the software development lifecycle with security in focus
Overview of PCI-DSS v4.0 Requirement 6
Lab 1: Threat Modeling
Participants will conduct a threat modeling exercise for a sample application.
2. Secure Software Design Principles
Fundamentals of secure software design
Threat modeling and risk assessment in the design phase
Lab 2: Secure Coding Practices
Participants will practice secure coding techniques through hands-on exercises.
Afternoon Session: 3. Secure Coding Techniques
Common vulnerabilities and secure coding practices
Input validation and output encoding
Handling authentication and authorization securely
Best practices for error handling
Lab 3: Vulnerability Identification with SAST
Participants will use SAST tools to identify vulnerabilities in sample code.
4. Secure Software Lifecycle and Vulnerability Identification
Integrating security into the software development lifecycle (SDLC)
Manual code review and code analysis techniques
Introduction to Static Application Security Testing (SAST) tools
Lab 4: Dynamic Application Security Testing
Participants will perform DAST scans on a web application and interpret the results.
Day 2:
Morning Session:
5. Automated Security Testing Tools
Introduction to Dynamic Application Security Testing (DAST)
Using DAST tools to identify vulnerabilities in running applications
Lab 5: Mitigating OWASP Top 10 Risks
Participants will apply security measures to address OWASP Top 10 vulnerabilities in a web
application.
6. OWASP Top 10 – 2021
In-depth exploration of the top 10 web application security risks
Mitigation techniques for each OWASP Top 10 risk
Lab 6: Applying ASVS and Best Practices
Participants will map ASVS requirements and implement additional best practices in a
sample application.
Afternoon Session: 7. OWASP Application Security Verification Standard (ASVS) and Best Practices
Understanding ASVS levels 2 and 3
Supplementing ASVS with best practices for key areas (SSO, OAuth, JWT, field-level
encryption in transit, etc.)
Lab 7: Securing Java and Node.js Applications
Participants will implement security best practices in Java and Node.js code.
8. Java and Node.js Specific Security Best Practices
Common security pitfalls in Java and Node.js applications
Security best practices and libraries for mitigating vulnerabilities
Lab 8: Securing APIs with API Gateway
Participants will configure an API Gateway and apply security measures to protect APIs.
9. API Gateway Security Best Practices
Securing APIs using an API Gateway
Authentication, authorization, and rate limiting for APIs
Lab 9: Implementing AWS Security
Participants will apply security best practices to AWS resources and services.
10. AWS Security Best Practices
Securing AWS resources and services
IAM policies, network security, encryption, and logging
Wrap-Up:
Recap of key concepts and takeaways from the course.
Q&A session to address any remaining doubts or questions.