SEC522: SANS Cyber Security East: Feb 2022

Provided by

Enquire about this course

What You Will Learn

Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.

The quantity and importance of data entrusted to web applications is increasing, and defenders need to learn how to secure these critical data. Traditional network defenses such as firewalls fail to secure web applications. In covering the OWASP Top 10 Risks and beyond, SEC522 will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.

The course will present mitigation strategies from an infrastructure, architecture, and coding perspective alongside real-world techniques that have been proven to work. We'll introduce the nature of each vulnerability to help you understand why it happens, then we'll show you how to identify the vulnerability and provide options to mitigate it.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. The focus will be maintained on security strategies rather than coding-level implementation.

SEC522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting web applications. You will find the course useful if you are supporting or creating either traditional web applications or more modern web services for a wide range of front ends like mobile applications. The course is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in enhancing the defense of web applications.

The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices. The topics that will be covered include:
  • The OWASP Top 10
  • Selected specific web application issues from the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors
  • Infrastructure security and configuration management
  • Securely integrating cloud components into a web application
  • Authentication and authorization mechanisms, including single sign-on patterns
  • Application language configuration
  • Application coding errors like SQL injection, cross-site request forgery, and cross-site scripting
  • Web 2.0 and its use of web services (REST/SOAP)
  • Cross-domain web request security
  • Business logic flaws
  • Protective HTTP headers
The SEC522 course features full-day lab with hands-on exercises on how to secure a web application, starting with securing the operating system and web server, finding configuration problems in the application language setup, and finding and fixing coding problems in the site.The course makes heavy use of hands-on exercises and will conclude with a large defensive exercise that reinforces the lessons learned throughout the week.

You Will Learn:
  • How to comprehensively remediate common web application vulnerabilities.
  • How to apply defensive application design and coding practices to avoid security vulnerabilities.
  • The HTTP protocol and new technologies such as HTTP/2, QUIC (HTTP/3), and Websockets that affect the protocol stack.
  • How to move away from basic web application security principles of "validating more" and implement effective security controls against vulnerabilities that input validation simply does not fix.
  • How to customize, implement, and maintain a baseline security standard for the web applications development lifecycle (SANS SWAT checklist), improving security and reducing exposure to common vulnerabilities such as the OWASP Top 10 Risks.
  • How to leverage HTTP header-level protection to apply strong defense systems on the client side by building another layer of defense on top of secure coding on the server side.
  • How to design better and stronger security architecture that includes infrastructure aspects in the design process.
  • How to leverage and uplift the modern security features in the web browser to further enhance the overall security of the application
You Will Be Able To:
  • Understand the major risks and common vulnerabilities related to web applications through real-world examples.
  • Mitigate common security vulnerabilities in web applications using proper coding techniques, software components, configurations, and defensive architecture.
  • Understand the best practices in various domains of web application security such as authentication, access control, and input validation.
  • Fulfill the training requirement as stated in PCI DSS 6.5.
  • Deploy and consume web services (SOAP and REST) in a more secure fashion.
  • Proactively deploy cutting-edge defensive mechanisms such as defensive HTTP response headers and Content Security Policy to improve the security of web applications.
  • Strategically roll out a web application security program in a large environment.
  • Incorporate advanced web technologies such as HTML5 and AJAX cross-domain requests into applications in a safe and secure manner.
  • Develop strategies to assess the security posture of multiple web applications.
Hands-on Training:
  • HTTP Basics
  • Insepcting HTTP/2 traffic and crafting requests
  • Service Isolation
  • SSRF and Credential Stealing Services
  • SQL Injection
  • Guestbook CSRF
  • Cross Site Scripting
  • Unicode and File Upload
  • Authentication Exercise
  • Session Fixation and Session Breaking
  • OAuth and Access Control
  • Inspecting SSL Traffic with Wireshark
  • WSDL Enumeration and Parameter Tampering
  • XMLHttpRequest and Same Origin Policy
  • JavaScript Security Testing
  • Content Security Policy
  • DNS Rebinding
  • Clickjacking
  • HTML5
  • Subresource Integrity
  • Logging and Incident Response
  • Defending the Flag
What You Will Receive:
  • A Ubuntu Linux VMWare virtual machine containing:
    • Virtual server environment consisting of a DNS, FTP, web server, and database to simulate
    • Multiple sample applications for the in-class exercises
    • Pre-installed security tools (e.g., brute forcing, manipulating proxy, and exploiting tools)
  • Printed and Electronic Courseware for the six days of lecture
  • MP3 audio files of the complete course lecture
Other Courses Students Have Taken

Courses that lead in SEC522:
  • SEC542
  • SEC504
  • SEC401
Courses that are good follow-ups to SEC522:
  • SEC542
  • SEC510
  • SEC540
  • SEC545
  • SEC530
Please note that we have changed the prefix of this course from "DEV" to "SEC" to more accurately reflect the audience. Going forward, the course will be known as "SEC522: Defending Web Applications Security Essentials". If you are browsing the SANS website or reviewing a brochure and notice the new prefix change, please note this change has NO IMPACT on the content of the course.


Start date Location / delivery
21 Feb 2022 Virtual Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...