Menu Search Sign up

Defending Web Application Security

Traditional enterprise information security defenses, such as firewalls, intrusion detection systems, intrusion prevention systems, anti-virus tools, etc, fail to secure web applications. The quantity and importance of data processed and hosted by web applications is growing, and defenders need to learn how to secure it. A Gartner report has found that "Over 70 percent of security vulnerabilities exist at the application layer, not the network layer”. However, according to a Microsoft Developer research, “64 percent of developers are not confident in their ability to write secure applications”.

The course "Defending Web Application Security" will help you better understand common web application vulnerabilities and get familiar with the techniques you can use in your web applications to properly defend against these web application vulnerabilities.

The course "Defending Web Application Security" will also help you prepare for getting the GIAC Certified Web Application Defender (GWEB) certification, as they have the same objectives: allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be more on security techniques rather than coding level implementation.

The course is taught by e2College instructors holding current GWEB certification and who are subject matter experts in the information security industry and in software security in particular.

Course Objectives

The objectives of the course "Defending Web Application Security" are the same as the GWEB certification objectives:

Prepare students to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems.

Students taking this course will have hands-on experience using current tools to detect and prevent Input Validation flaws, Cross-site scripting (XSS), and SQL Injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended.

After taking this course, you will have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.

Course Content

The following topics will be covered in this course:

Web Basics and Authentication Security

  • HTTP basics
  • Overview of web technologies
  • Web application architecture
  • Recent attack trends
  • Authentication vulnerabilities and defense
  • Authorization vulnerabilities and defense

Web Application Common Vulnerabilities and Mitigations

  • SSL vulnerabilities and testing
  • Proper encryption use in web application
  • Session vulnerabilities and testing
  • Cross Site Request Forgery
  • Business logic flaws
  • Concurrency
  • Input related flaws and related defense
  • SQL Injection vulnerabilities, testing and defense

Proactive Defense and Operation Security

  • Cross Site Scripting vulnerability and defenses
  • Web environment configuration security
  • Intrusion detection in web application
  • Incident handling
  • Honeytoken

AJAX and Web Services Security

  • Web services overview
  • Security in parsing of XML
  • XML security
  • AJAX technologies overview
  • AJAX attack trends and common attacks
  • AJAX defense

Cutting Edge Web Security

  • Clickjacking
  • DNS rebinding
  • Flash security
  • Java applet security
  • Single Signon solution and security
  • IPv6 impact on web security

Capture & Defend the Flag Exercise

  • Mitigation of server configuration errors
  • Discovering and mitigating coding problems
  • Testing business logic issues and fixing problems
  • Web services testing and security problem mitigation

Course Format & Schedule

The training course "Defending Web Application Security" is offered as an online live class and you can log in at the scheduled times and join your instructor and classmates in an interactive virtual classroom. Classes meet two evenings a week for six weeks for a total of 12 sessions. The evening class time is usually between 7:30pm to 10:00pm local time (Specific class time may vary a little to accomodate attendees from different time zones).

Course Prerequisites

The course "Defending Web Application Security" will help you better understand common web application vulnerabilities and get familiar with the techniques you can use in your web applications to properly defend against these web application vulnerabilities.The course "Defending Web Application Security" will also help you prepare for getting the GIAC Certified Web Application Defender (GWEB) certification. Before taking this course, it is
recommended that you have basic knowledge of web application development, operation and/or web server administration.