The internet is one of the most dangerous places to do business today. Every day, organizations and government fall victim to internet based attacks. In many cases, attacks could be easily thwarted but hackers, organized criminal gangs, and foreign agents are able to exploit weaknesses in web applications and architecture. The Secure Web programmer knows how to identify, mitigate and defend against all attacks, through designing and building systems that are resistant to failure. The secure web application developer knows how to develop web applications that are not subject to common vulnerabilities, and how to test and validate that their applications are secure, reliable and resistant to attack. The Secure Web Application Engineer course provides the developer with a thorough and broad understanding of secure application concepts, principles and standards. The developer will be able to design, develop and test web applications that will provide reliable web services that meet functional business requirements and satisfy compliance and assurance needs.

COURSE OVERVIEW

This course is designed to equip attendees with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will gain detailed knowledge of what soft
Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.
On the final day of training, students will complete a real world hacking exercise on a live web application.

BENEFITS OF CSWAE COURSE

Graduates of the mile2 Certified Secure Web Application Engineer training obtain real world security knowledge that enables them to recognize vulnerabilities, exploit system weaknesses and help safeguard against threats.

Course Title : C)SWAE – Certified Secure Web Applications Engineer

Duration: 4 days

Language: English

Format:

Instructor-led

Live Virtual Training

Prerequisites:

  • A minimum of 24 months experience in software technologies
  • 12 months of software security
  • Sound knowledge of networking
  • At least one Coding Language

Student Materials:

  • Student Workbook
  • Student Reference Manual

Certification Exam:

CSWAE- Certified Secure Web Application Engineer

 

CPU: 32 Hours


 

DETAILED MODULE DESCRIPTION


  • Module 1 : Web Application Security
    • Web Application Security
    • Web Application Technologies and Architecture
    • Secure Design Architecture
    • Secure Coding Principles
    • Lab: Environment Setup – Lab
  • Module 2 : OWASP TOP 10
    • The Open Web Application Security Project (OWASP)
    • OWASP TOP 10 2013
    • Lab: Environment Setup – Lab
  • Module 3 : Theat Modeling & Risk Management
    • Threat Modeling Tools & Resources
    • Identify Threats
    • Identify Countermeasures
    • Choosing a Methodology
    • Post Threat Modeling
    • Analyzing and Managing Risk
    • Incremental Threat Modeling
    • Identify Security Requirements
    • Understand the System
    • Root Cause Analysis
    • Lab: Threat Modeling and Architecture Risk Analysis
    • Lab: Quick Threat Modeling (the Doctor use case)
  • Module 4 : Application Mapping
    • Application Mapping
    • Web Spiders
    • Web Vulnerability Assessment
    • Discovering other content
    • Application Analysis
    • Application Security Toolbox
    • Setting up a Testing Environment
    • Lab: Web Application Mapping using Ethical Hacking Tools
  • Module 5 : Authentication and Authorisation attacks
    • Authentication
    • Authorization
    • Lab: Cert Java Oracle Secure Coding IDS
  • Module 13 : Cryptography
      • Application Flaws and Defense Mechanisms
      • Defense In-Depth
      • Different Types of Authentication (HTTP, Form)
      • Client Side Attacks
      • Authentication Attacks
      • Modeling Authorization
      • Least Privilege
      • Access Control
      • Authorization Attacks
      • Access Control Attacks
    • User Management
      • Password Storage
      • User Names
      • Account Lockout
      • Passwords
      • Password Reset
    • Client-Side Security
      • Anti-Tampering Measures
      • Code Obfuscation
      • Anti-Debugging
    • Lab: Client Side, Authentication and Authorization Attacks
  • Module 6 : Session Management attacks
    • Session Management Attacks
    • Session Hijacking
    • Session Fixation
    • Environment Configuration Attacks
    • Lab: Session Management, Access Controls and Configuration Attacks
  • Module 7 : Application Logic attacks
    • Application Logic Attacks
    • Information Disclosure Exploits
    • Data Transmission Attacks
    • Lab: Application Logic, Information Disclosure and Data Transmission Attacks
  • Module 8 : Data Validation
    • Input and Output Validation
    • Trust Boundaries
    • Common Data Validation Attacks
    • Data Validation Design
    • Validating Non-Textual Data
    • Validation Strategies & Tactics
    • Errors & Exception Handling
      • Structured Exception Handling
      • Designing for Failure
      • Designing Error Messages
      • Failing Securely
  • Module 9 : AJAX attacks
    • AJAX Attacks
    • Web Services Attacks
    • Application Server Attacks
    • Lab: AJAX, Web Services and Server Attacks
  • Module 10 : Code Review and Security Testing
    • Insecure Code Discovery and Mitigation
    • Testing Methodology
    • Client Side Testing
    • Session Management Testing
    • Developing Security Testing Scripts
    • Pentesting a Web Application
    • Lab: Performing Code review and Building Security Test Scripts
  • Module 11 : Web Application Penetration Testing
    • Insecure Code Discovery and Mitigation
    • Benefits of a Penetration Test
    • Current Problems in WAPT
    • Learning Attack Methods
    • Methods of Obtaining Information
    • Passive vs. Active Reconnaissance
    • Footprinting Defined
    • Introduction to Port Scanning
    • OS Fingerprinting
    • Web Application Penetration Methodologies
    • The Anatomy of a Web Application Attack
    • Fuzzers
    • Lab: Performing Web Application PenTesting steps
  • Module 12 : Secure SDLC
    • Secure-Software Development Lifecycle (SDLC) Methodology
    • Web Hacking Methodology
    • Lab: Case Study and Web Penetration Testing Assignment
    • Overview of Cryptography
    • Key Management
    • Cryptography Application
    • True Random Generators (TRNG)
    • Symmetric/Asymmetric Cryptography
    • Digital Signatures and Certificates
    • Hashing Algorithms
    • XML Encryption and Digital Signatures Authorization Attacks
    • Lab: Encryption in Secure Coding (Example for Java, PHP and .NET)

Certification

UPON COMPLETION

Upon completion, attendees should have the skills to perform the following:

  • Identify application security vulnerabilities in any software application
  • Review software architecture diagrams and identify attack points
  • Perform web application penetration testing
    • Identify vulnerabilities as they relate to the OWASP Top 10
    • Perform advanced attacks against web applications
  • Design controls to defend against application vulnerabilities
  • Perform security code reviews
  • Develop security test scripts
  • Build a web hacking toolbox
  • Integrate security best practices into the Software Development Lifecycle (SDLC)
  • Communicate to both technical and non-technical individuals concerning application vulnerabilities


Prerequisite

Prerequisites:

  • A minimum of 24 months experience in software technologies
  • 12 months of software security
  • Sound knowledge of networking
  • At least one Coding Language

No schedule at the moment