• Online, Self-Paced
  • Classroom
Course Description

This is the course to take if you have to defend web applications!

The quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure them. Traditional network defenses, such as firewalls, fail to secure web applications. DEV522 covers the OWASP Top 10 Risks and will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.

Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world applications that have been proven to work. The testing aspect of vulnerabilities will also be covered so that you can ensure your application is tested for the vulnerabilities discussed in class.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding-level implementation.

DEV522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in better defending their web applications.

The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices. The topics that will be covered include:

  • Infrastructure security
  • Server configuration
  • Authentication mechanisms
  • Application language configuration
  • Application coding errors like SQL injection and cross-site scripting
  • Cross-site request forging
  • Authentication bypass
  • Web services and related flaws
  • Web 2.0 and its use of web services
  • XPATH and XQUERY languages and injection
  • Business logic flaws
  • Protective HTTP headers

The course will make heavy use of hands-on exercises and concludes with a large defensive exercise that reinforces the lessons learned throughout the week.

Learning Objectives

  • Understand the major risks and common vulnerabilities related to web applications through real-world examples.
  • Mitigate common security vulnerabilities in web applications using proper coding techniques, software components, configurations, and defensive architecture.
  • Understand the best practices in various domains of web application security such as authentication, access control, and input validation.
  • Fulfill the training requirement as stated in PCI DSS 6.5.
  • Deploy and consume web services (SOAP and REST) in a more secure fashion.
  • Proactively deploy cutting-edge defensive mechanisms such as the defensive HTTP response headers and Content Security Policy to improve the security of web applications.
  • Strategically roll out a web application security program in a large environment.
  • Incorporate advanced web technologies such as HTML5 and AJAX cross-domain requests into applications in a safe and secure manner.
  • Develop strategies to assess the security posture of multiple web applications.

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.