SEC522: OnDemand
Provided by SANS
What You Will Learn
Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.
Over the course of SEC522, we demonstrate the real-world risks associated with web applications, emphasizing the many ways that sensitive data can be exposed or compromised. From here, participants learn practical techniques to mitigate these risks, assess vulnerabilities, and effectively communicate residual risks.
Students will be able to apply the skills that they learned in SEC522 the moment they return to work, recognizing and mitigating vulnerabilities across design, implementation, deployment and application maintenance. Students will learn to communicate these risks early in the development lifecycle ("shifting left"). This ensures more efficient testing and decision-making, saves time, money, and resources while improving overall application security within the organization.
"If you want to know everything about web apps and web app security, this is the perfect course!" - Chris Kansas, ThreatX
What Is Application Security?
Application security protects web applications andAPIss from a variety of current cyber threats. It identifies and mitigates vulnerabilities. Key strategies include implementing a secure architecture, secure coding practices, protecting against attacks like SQL injection and cross-site scripting (XSS), implementing proper access controls. Embedding security early in the development process to reduce risk and maintain data integrity.
Business Takeaways
The lab environment offers a realistic application setting where students can explore attacks and see the impact of defensive mechanisms. Structured as a challenge with helpful hints, the hands-on labs provide practical experience that students can apply immediately when they return to work. The 20 labs across Sections 1 to 5 culminate in an exciting 3-4 hour competitive Defend the Flag Capstone. This final challenge allows participants to put their skills to the test in a dedicated, immersive exercise.
"Lots of good hands-on exercises using real world examples." - Nicolas Kravec, Morgan Stanley
"The exercises are a good indicator of understanding the material. They worked flawlessly for me." - Robert Fratila, Microsoft
Syllabus Summary
DevSecOps Professionals:
Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.
Over the course of SEC522, we demonstrate the real-world risks associated with web applications, emphasizing the many ways that sensitive data can be exposed or compromised. From here, participants learn practical techniques to mitigate these risks, assess vulnerabilities, and effectively communicate residual risks.
Students will be able to apply the skills that they learned in SEC522 the moment they return to work, recognizing and mitigating vulnerabilities across design, implementation, deployment and application maintenance. Students will learn to communicate these risks early in the development lifecycle ("shifting left"). This ensures more efficient testing and decision-making, saves time, money, and resources while improving overall application security within the organization.
"If you want to know everything about web apps and web app security, this is the perfect course!" - Chris Kansas, ThreatX
What Is Application Security?
Application security protects web applications andAPIss from a variety of current cyber threats. It identifies and mitigates vulnerabilities. Key strategies include implementing a secure architecture, secure coding practices, protecting against attacks like SQL injection and cross-site scripting (XSS), implementing proper access controls. Embedding security early in the development process to reduce risk and maintain data integrity.
Business Takeaways
- Comply with PCI DSS and other compliancerequirements
- Reduce the overall application security risks, protect company reputation
- Adopt the "shifting left" mindset where security issues addressed early and quickly. This reduces cost.
- Ability to adopt modern apps with API and microservices in a secure manner
- This course prepares students for the GWEB certification
- Defend against the attacks specified in OWASP Top 10
- Infrastructure security and configuration management
- Securely integrating cloud components into a web application
- Learn about Authentication and authorization mechanisms, including single sign-on patterns
- Understand modern authentication/authorization protocols such as OAuth and SAML
- Modernize authentication patterns with password-less and phish resilient mechanisms
- Understand cross-domain web request security
- Leverage protective HTTP headers
- Defending SOAP, REST and GraphQL APIs
- Securely implement Microservice architecture
- Defending against input related flaws such as SQL injection, XSS and CSRF
- Understand the effect of integrating AI components and tools into modern application development
The lab environment offers a realistic application setting where students can explore attacks and see the impact of defensive mechanisms. Structured as a challenge with helpful hints, the hands-on labs provide practical experience that students can apply immediately when they return to work. The 20 labs across Sections 1 to 5 culminate in an exciting 3-4 hour competitive Defend the Flag Capstone. This final challenge allows participants to put their skills to the test in a dedicated, immersive exercise.
- Section 1: HTTP Basics, HTTP/2 traffic inspection and spoofing, Environment isolation, SSRF and credential-stealing
- Section 2: SQL Injection, Cross Site Request Forgery, Cross Site Scripting, Unicode and File Upload
- Section 3: Authentication vulnerabilities and defense, Multifactor authentication, Session vulnerabilities and testing, Authorization vulnerabilities and defense, SSL vulnerabilities and testing, Proper encryption use in web application
- Section 4: WSDL enumerations, Cross Domain AJAX, Front End Features and CSP (Content Security Policy), Clickjacking
- Section 5: Deserialization and DNS rebinding, GraphQL, API security deep dives and JSON
- Section 6: Defending the Flag capstone exercise
"Lots of good hands-on exercises using real world examples." - Nicolas Kravec, Morgan Stanley
"The exercises are a good indicator of understanding the material. They worked flawlessly for me." - Robert Fratila, Microsoft
Syllabus Summary
- Section 1: Understand web application architecture, vulnerability and configuration management.
- Section 2: Detect, mitigate and defend input related threats.
- Section 3: Authentication, Authorization and Cryptography
- Section 4: Front end security with modern scripting engines
- Section 5: REST & GraphQL API with microservice architecture
- Section 6: Defending the Flag exercise
- Cloud Security & DevSecOps Best Practices, poster
- Fix Security Issues Left of Prod, cheat sheet
- SWAT Checklist, webpage
- Cloud Ace Podcast
- Printed and electronic courseware
- Exercise workbook with over 100 pages of detailed step-by-step instructions
- A virtual machine with Linux operating system and multiple container environments simulating various vulnerable conditions for students to explore during class exercise
- A poster containing the summary of the most crucial defensive techniques covered in the course in a checklist format which can be used as a baseline Web defensive framework/standard for your organization.
- MP3 audio files of the complete course lecture
DevSecOps Professionals:
- SEC540: Cloud Security and DevSecOps Automation | GCSA
- SEC542: Web Application Penetration Testing and Ethical Hacking | GWAPT
- SEC588: Cloud Penetration Testing | GCPN
Enquire
Start date | Location / delivery | |
---|---|---|
No fixed date | Virtual | Book now |