Training Course: Designing Secure Web Applications

Description

The design and implementation of secure Web Applications is a huge challenge that requires significant expertise in programming, web application development, and IT Security. This course is designed exclusively for experienced web-application developers to empower them to develop secure web applications by illuminating the most common serious vulnerabilities and how to avoid them.

Audience

Experienced Java, C#, and PHP web-application developers seeking to understand and avoid introducing common security vulnerabilities into their designs and applications.

Duration

3 Days

Objectives

  • Be familiar with common web application security vulnerabilities
  • Understand how security vulnerabilities can be introduced into web applications
  • Understand how to properly validate Untrusted Input
  • Understand the purpose and benefits of Data Sanitization
  • Be familiar with the Input Validator and Sanitizer Design Patterns
  • Be prepared to avoid SQL Injection Vulnerabilities
  • Be prepared to avoid Cross-Site Scripting (XSS) Vulnerabilities
  • Be prepared to avoid Authentication and Session Vulnerabilities
  • Be better prepared to test web application security

Setup

  • A Web Application Server Environment, such as:
    • Java 2 Standard Edition (J2EE)
    • Microsoft C# .NET Studio
    • Apache and PHP
  • A Web Browser and Proxy, such as:
    • Firefox
    • TamperData
  • A Database Management System, such as:
    • Apache Derby
    • SQL Server Express

Text

  • Course Workbook

Prerequisites

  • Application Security and the SDLC
  • A solid understanding of either Java and JSPs, OR C# .NET and ASPs, OR PHP

Outline

Topic 1:     Introduction

  • Welcome
  • Motivation
  • Course Objectives
  • Course Overview
  • The Software Development Lifecycle (SDLC)
  • Security in the SDLC
  • The Importance of Security Requirements
  • Application Security in Context
  • Lab Exercise: Requiring Security
  • Quiz

Topic 2:     Preventing Malformed Input

  • Validating Untrusted Input
  • Handling Unexpected Input
  • Validating Input Data
  • Input Validator Design Pattern
  • What is a Regular Expression ?
  • Regular Expressions: Example
  • More Regular Expressions
  • More Regular Expression Examples
  • Lab Exercise: Input Validation
  • Quiz

Topic 3:     Preventing Injection Attacks

  • What is an Injection Attack ?
  • Preventing Injection Attacks
  • Validating Untrusted Input
  • Syntactic Validation
  • Logical Validation
  • Data Encoding
  • Client Side Data Validation
  • Server Side Data Validation
  • Where to Validate
  • Handling Unexpected Input
  • Example: Using Tamper Data
  • Lab Exercise: Injection Rejection
  • Quiz

Topic 4:     Preventing XSS

  • What is Cross-site Scripting ?
  • Example: Cross-site Scripting
  • Exploiting XSS Vulnerabilities
  • Case Study: But I don’t Like Spam
  • Preventing Cross-site Scripting
  • Preventing XSS in HTML Body
  • Preventing XSS in HTML Attributes
  • Preventing XSS in Javascript Data Values
  • Example: A Simple Encoder
  • Example: Encoding at Work
  • Lab Exercise: Injection Rejection
  • Quiz

Topic 5:     Preventing SQL Injection

  • What is SQL Injection ?
  • Case Study: I Still Don’t Like Spam
  • Preventing SQL Injection
  • Prepared Statements
  • Lab Exercise: Injection Rejection
  • Quiz

Topic 6:     Preventing Command Injection

  • What is Command Injection ?
  • Case Study: Do the Math
  • Preventing Command Injection
  • Other Injection Attacks
  • Preventing Direct Object References
  • Preventing Format String Attacks
  • Summary of Special Characters
  • Encoding Special Characters
  • Lab Exercise: No, You do the Math
  • Quiz

Topic 7:     Preventing Other Vulnerabilities

  • How Do You Prevent… ?
  • Lab Exercise: What’s in Your Wallet ?
  • Quiz

Topic 8:     Miscellaneous Topics

  • Application Security in Perspective
  • Security Manager Design Pattern
  • Avoiding Common Vulnerabilities
  • Security in the SDLC
  • The Security Design Review
  • The OWASP ESAPI

Appendix     Developing Secure Mobile Applications

Appendix     Summary of Special Characters

Appendix     Quiz Answers