Secure Web Application Development

You might also like

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 3

SECURE WEB/API APPLICATION DEVELOPMENT

This course is designed to teach web application developers and architects how to build applications with
world-class security. QA engineers, IT security analysts, and IT risk managers can also benefit from this course.
Every major aspect of application security is covered, and each module includes both design and coding
advice. Hands-on labs are provided to help students master the concepts in a highly interactive setting. The
course focuses on application development strategies and tactics that secure software at the source.

Prerequisites
The course is contains coding examples in both Java and ASP.Net, but can be customized for any development
language. A working knowledge of HTML, JavaScript and any server-side programming language (ASP.Net, Java,
PHP, etc.) is recommended.

Security Principles Overview: Importance of Security in the Software Development Lifecycle


Regulations, Privacy and Compliance
Impact of Security Defects
Core Security Concepts
Security Design Principles

Information Disclosure Leakage in Web Technologies (HTML, HTTP, Files, Client-Side Objects, URLs,
Web Services)
Error Handling (Structured vs. Functional)
Google Hacking

Authentication Methods of Authentication


2-Factor Authentication
Single Sign-On
Common Authentication Attacks (Brute Force, Username Harvesting, etc.)
Implementing Secure Authentication – Design and Coding

Session Management Overview of Sessions


Threats to Sessions and Impact
Common Implementation Mistakes and Exploits (Interception, Prediction,
Brute Force, etc.)
Implementing Secure Sessions – Design and Coding

Authorization
and Access Control Methods of Access Control
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Rule-Based Access Control
Common Authorization Attacks (Parameter Tampering, Privilege Escalation,
Cross-Site Request Forgery, etc.)
Implementing Secure Authentication – Design and Coding

Secure Data Handling Overview of Data Handling


Integrity Validation
Data Validation
Business Rule Validation
Common Exploits (SQL Injection, Cross-Site Scripting, HTTP Response Splitting,
etc.)
Implementing Secure Data Handling – Design and Coding

Cryptography Hashing
Secure Password Storage
Symmetric and Asymmetric Encryption
Digital Signatures
Certificates
Key Distribution
SSL and Digital Certificates
Implementing Cryptography – Design and Coding

Logging Logging Overview


Threats and Considerations
Implementing Logging – Design and Coding

Web Service Security Simple Object Access Protocol (SOAP)


SOAP Related Protocols
Security Assertion Markup Language (SAML)
WS-Security
REpresentational State Transfer (REST)
REST Related Protocols
JSON vs XML
Implementing Secure Web Services – Design and Coding

Secure Application
Development Software Development Life Cycle (SDLC)
Threat Modeling
Application Risk Levels
Risk Assessment
STRIDE and DREAD
Severity Level Classifications
Web Application Security Tools
Web Application Security Resources
API SECURITY
This course is designed to teach web application developers and architects how to build applications with
world-class security. QA engineers, IT security analysts, and IT risk managers can also benefit from this course.
Every major aspect of application programming interface security is covered, and each module includes both
design and coding advice.

Prerequisites
The course is contains coding examples in both Java and ASP.Net, but can be customized for any development
language. A working knowledge of HTML, JavaScript and any server-side programming language (ASP.Net, Java,
PHP, etc.) is recommended.

Module 1: Managed APIs

Module 2: Security by Design

Module 3: HTTP Basic/Digest Authentication

Module 4: Mutual Athentication with TLS

Module 5: Identity Delegation

Module 6: OAuth 2.0

Module 7: OAuth 2.0 MAC Token Profile

Module 8: OAuth 2.0 Profiles

Module 10: User Managed Access

Module 11: Federation

Module 12: OpenID Connect

Module 13: JWT, JWS and JWE

Module 14: Patterns and Practices

You might also like