SEC522: Defending Web Applications Security Essentials

Cert: GWEB GIAC Certified Web Application Defender
This is the course to take if you have to defend web applications! The quantity and importance of data entrusted to web applications is increasing, and defenders need to learn how to secure these critical data. Traditional network defences such as firewalls fail to secure web applications. In covering the OWASP Top 10 Risks and beyond, SEC522 will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.

What You Will Learn
Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.

The quantity and importance of data entrusted to web applications is increasing, and defenders need to learn how to secure these critical data. Traditional network defenses such as firewalls fail to secure web applications. In covering the OWASP Top 10 Risks and beyond, SEC522 will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.

The course will present mitigation strategies from an infrastructure, architecture, and coding perspective alongside real-world techniques that have been proven to work. We'll introduce the nature of each vulnerability to help you understand why it happens, then we'll show you how to identify the vulnerability and provide options to mitigate it.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. The focus will be maintained on security strategies rather than coding-level implementation.

SEC522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting web applications. You will find the course useful if you are supporting or creating either traditional web applications or more modern web services for a wide range of front ends like mobile applications. The course is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in enhancing the defense of web applications.

The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices. The topics that will be covered include:

The OWASP Top 10

• Selected specific web application issues from the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors
• Infrastructure security and configuration management
• Securely integrating cloud components into a web application
• Authentication and authorization mechanisms, including single sign-on patterns
• Application language configuration
• Application coding errors like SQL injection, cross-site request forgery, and cross-site scripting
• Web 2.0 and its use of web services (REST/SOAP)
• Cross-domain web request security
• Business logic flaws
• Protective HTTP headers

The SEC522 course features full-day lab with hands-on exercises on how to secure a web application, starting with securing the operating system and web server, finding configuration problems in the application language setup, and finding and fixing coding problems in the site.The course makes heavy use of hands-on exercises and will conclude with a large defensive exercise that reinforces the lessons learned throughout the week.

You Will Learn:

• How to comprehensively remediate common web application vulnerabilities.
• How to apply defensive application design and coding practices to avoid security vulnerabilities.
• The HTTP protocol and new technologies such as HTTP/2, QUIC (HTTP/3), and Websockets that affect the protocol stack.
• How to move away from basic web application security principles of "validating more" and implement effective security controls against vulnerabilities that input validation simply does not fix.
• How to customize, implement, and maintain a baseline security standard for the web applications development lifecycle (SANS SWAT checklist), improving security and reducing exposure to common vulnerabilities such as the OWASP Top 10 Risks.
• How to leverage HTTP header-level protection to apply strong defense systems on the client side by building another layer of defense on top of secure coding on the server side.
• How to design better and stronger security architecture that includes infrastructure aspects in the design process.
• How to leverage and uplift the modern security features in the web browser to further enhance the overall security of the application

You Will Be Able To:

• Understand the major risks and common vulnerabilities related to web applications through real-world examples.
• Mitigate common security vulnerabilities in web applications using proper coding techniques, software components, configurations, and defensive architecture.
• Understand the best practices in various domains of web application security such as authentication, access control, and input validation.
• Fulfill the training requirement as stated in PCI DSS 6.5.
• Deploy and consume web services (SOAP and REST) in a more secure fashion.
• Proactively deploy cutting-edge defensive mechanisms such as defensive HTTP response headers and Content Security Policy to improve the security of web applications.
• Strategically roll out a web application security program in a large environment.
• Incorporate advanced web technologies such as HTML5 and AJAX cross-domain requests into applications in a safe and secure manner.
• Develop strategies to assess the security posture of multiple web applications.

What You Will Receive:

• A Ubuntu Linux VMWare virtual machine containing:
• Virtual server environment consisting of a DNS, FTP, web server, and database to simulate
• Multiple sample applications for the in-class exercises
• Pre-installed security tools (e.g., brute forcing, manipulating proxy, and exploiting tools)
• Printed and Electronic Courseware for the six days of lecture
• MP3 audio files of the complete course lecture

Other Courses Students Have Taken

Courses that lead in SEC522:

SEC542
SEC504
SEC401
Courses that are good follow-ups to SEC522:

SEC542
SEC510
SEC540
SEC545
SEC530

Please note that we have changed the prefix of this course from "DEV" to "SEC" to more accurately reflect the audience. Going forward, the course will be known as "SEC522: Defending Web Applications Security Essentials". If you are browsing the SANS website or reviewing a brochure and notice the new prefix change, please note this change has NO IMPACT on the content of the course.

Syllabus (36 CPEs)

SEC522.1: Web Fundamentals and Security Configurations

SEC522.2: Defense Against Input Related Threats

SEC522.3: Web Application Authentication and Authorization

SEC522.4: Web Services and Front-End Security

SEC522.5: Cutting-Edge Web Security

SEC522.6: Capture-and-Defend-the-Flag Exercise

GIAC Certified Web Application Defender
The GIAC Web Application Defender certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems. The successful candidate will have hands-on experience using current tools to detect and prevent input validation flaws, cross-site scripting (XSS), and SQL injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended. GIAC Certified Web Application Defenders (GWEB) have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.

Access Control, AJAX Technologies and Security Strategies, Security Testing, and Authentication

Cross Origin Policy Attacks and Mitigation, CSRF, and Encryption and Protecting Sensitive Data

File Upload, Response Readiness, Proactive Defense, Input Related Flaws and Input Validation

Modern Application Framework Issues and Serialization, Session Security & Business Logic, Web

Application and HTTP Basics, Web Architecture, Configuration, and Security

Prerequisites
This class requires a basic understanding of web application technology and concepts such as HTML and JavaScript.

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class and it is also strongly advised that you do not bring a system storing any sensitive data.

System Hardware Requirements

CPU: Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit quest virtual machine.
VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines.
Windows users can use this article to learn more about their CPU and OS capabilities.
Apple users can use this support page to learn more information about Mac 64-bit capability
BIOS: Inte'ls VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access yoru system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.
USB: At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may hav eonly the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.
RAM: 8 GB RAM is required for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About." Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac."
Hard Drive Free Space: 60 GB of FREE space on the hard drive is critical to hose the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.