About the course
DEV522: Defending Web Applications Security Essentials
Sat, February 23 - Thu, February 28, 2019
Contents | Additional Info
Instructor: Jason Lam
I'm responsible for the web application security for my company, but have never been a developer. I feel I now have the knowledge needed to sit with my developers, understand, and discuss in greater depth the security of our web applications!
James Baker, Pass Key
As the world moves everything online, DEV522 is a necessity.
Chris Spinder, B/E Aerospace, Inc.
This is the course to take if you have to defend web applications!
The quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure them. Traditional network defenses, such as firewalls, fail to secure web applications. DEV522 covers the OWASP Top 10 Risks and will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.
Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world applications that have been proven to work. The testing aspect of vulnerabilities will also be covered so that you can ensure your application is tested for the vulnerabilities discussed in class.
To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding-level implementation.
DEV522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in better defending their web applications.
The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices. The topics that will be covered include:
- Infrastructure security
- Server configuration
- Authentication mechanisms
- Application language configuration
- Application coding errors like SQL injection and cross-site scripting
- Cross-site request forging
- Authentication bypass
- Web services and related flaws
- Web 2.0 and its use of web services
- XPATH and XQUERY languages and injection
- Business logic flaws
- Protective HTTP headers
The course will make heavy use of hands-on exercises and concludes with a large defensive exercise that reinforces the lessons learned throughout the week.
You Will Learn:
- How to comprehensively remediate common web application vulnerabilities.
- How to apply defensive application design and coding practices to avoid security vulnerabilities.
- The HTTP protocol and new technologies such as SPDY and Websockets that affect the protocol stack.
- How to move away from basic web application security principles of "validating more" and implement effective security controls against vulnerabilities that input validation simply does not fix.
- How to customize, implement, and maintain a baseline security standard for the web applications development lifecycle (SANS SWAT checklist), improving security and reducing exposure to common vulnerabilities such as the OWASP Top 10 Risks.
- How to leverage HTTP header-level protection to apply strong defense systems on the client side by building another layer of defense on top of secure coding on the server side.
- How to design better and stronger security architecture that includes infrastructure aspects in the design process.
- How to understand cutting-edge web technologies (such as HTML5) and their security implications, avoiding security issues when utilizing these newer technologies.
DEV522.1: Web Basics and Authentication Security
DEV522.2: Web Application Common Vulnerabilities and Mitigations
DEV522.3: Proactive Defense and Operation Security
DEV522.4: AJAX and Web Services Security
DEV522.5: Cutting-Edge Web Security
DEV522.6: Capture and Defend the Flag Exercise
Too many websites are getting compromised these days. The goal of DEV522 is to arm students with defensive strategies that can work for all web applications. We all know it is very difficult to defend a web application because there are so many different types of vulnerabilities and attack channels. Overlook one thing and your web app is owned. The defensive perimeter needs to extend far beyond just the coding aspects of web application. This course covers the security vulnerabilities so that students have a good understanding of the problems at hand. We then provide the defensive strategies and tricks, as well as the overall architecture, that have been proven to help secure sites. I have also included some case studies throughout the course so we can learn from the mistakes of others and make our own defense stronger. The exercises in class are designed to help you further your understanding and help you retain this knowledge through hands-on practice. By the end of the course, you will have the practical skills and understanding of the defensive strategies to lock down existing applications and build more secure applications in the future.
- Jason Lam