Certified Secure Web Application Engineer

The Certified Secure Web Application Engineer 4 day instructor-led course is designed to equip students with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.

On the final day of training, students will complete a real world hacking exercise on a live web application.

These secure coding skills are in desperate need today because the internet is one of the most dangerous places to do business; there are countless cases of valuable information being stolen from businesses because there was a vulnerability in their web applications. When programmers don’t understand the principles of secure coding, doors are open to those who do.

Upon Completion

Students will have knowledge to:

• Perform web application penetration testing to expose vulnerabilities.
• Design & implement controls to defend against application vulnerabilities.
• Integrate security best practices into the software development lifecycle
• Be ready to sit for the C)SWAE certification exam.

The C)SWAE is a four day instructor-led course that will cover secure coding practices and testing for web applications. It is comprised of 10 Modules and an appendix which includes extra practice labs to perform outside of class to solidify secure coding practices.

Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modelling, conducting secure code reviews and more.

Module 1: Web Application Security

• Web Application Security
• Web Application Technologies and Architecture
• Secure Design Architecture
• Application Flaws and Defense Mechanisms
• Defense In-Depth
• Secure Coding Principles
• Lab: Environment Setup - Lab

Module 2: OWASP TOP 10

• The Open Web Application Security Project (OWASP)
• OWASP TOP 10 2013
• Lab: Environment Setup - Lab

Module 3: Threat Modeling & Risk Management

• Threat Modeling Tools & Resources
• Identify Threats
• Identify Countermeasures
• Choosing a Methodology
• Post Threat Modeling
• Analyzing and Managing Risk
• Incremental Threat Modeling
• Identify Security Requirements
• Understand the System
• Root Cause Analysis
• Lab: Threat Modeling and Architecture Risk Analysis
• Lab: Quick Threat Modeling (the Doctor use case)

Module 4: Application Mapping

• Application Mapping
• Web Spiders
• Web Vulnerability Assessment
• Discovering other content
• Application Analysis
• Application Security Toolbox
• Setting up a Testing Environment
• Lab: Web Application Mapping using Ethical Hacking Tools

Module 5: Authentication and Authorization attacks

• Authentication
• Different Types of Authentication (HTTP, Form)
• Client Side Attacks
• Authentication Attacks
• Authorization
• Modeling Authorization
• Least Privilege
• Access Control
• Authorization Attacks
• Access Control Attacks
• User Management
• Password Storage
• User Names
• Account Lockout
• Passwords
• Password Reset
• Client-Side Security
• Anti-Tampering Measures
• Code Obfuscation
• Anti-Debugging
• Lab: Client Side, Authentication and Authorization Attacks

Module 6: Session Management attacks

• Session Management Attacks
• Session Hijacking
• Session Fixation
• Environment Configuration Attacks
• Lab: Session Management, Access Controls and Configuration Attacks

Module 7: Application Logic attacks

• Application Logic Attacks
• Information Disclosure Exploits
• Data Transmission Attacks
• Lab: Application Logic, Information Disclosure and Data Transmission Attacks

Module 8: Data Validation

• Input and Output Validation
• Trust Boundaries
• Common Data Validation Attacks
• Data Validation Design
• Validating Non-Textual Data
• Validation Strategies & Tactics
• Errors & Exception Handling
• Structured Exception Handling
• Designing for Failure
• Designing Error Messages
• Failing Securely
• Lab: Cert Java Oracle Secure Coding IDS

Module 9: AJAX attacks

• AJAX Attacks
• Web Services Attacks
• Application Server Attacks
• Lab: AJAX, Web Services and Server Attacks

Module 10: Code Review and Security Testing

• Insecure Code Discovery and Mitigation
• Testing Methodology
• Client Side Testing
• Session Management Testing
• Developing Security Testing Scripts
• Pentesting a Web Application
• Lab: Performing Code review and Building Security Test Scripts

Module 11: Web Application Penetration Testing

• Insecure Code Discovery and Mitigation
• Benefits of a Penetration Test
• Current Problems in WAPT
• Learning Attack Methods
• Methods of Obtaining Information
• Passive vs. Active Reconnaissance
• Footprinting Defined
• Introduction to Port Scanning
• OS Fingerprinting
• Web Application Penetration Methodologies
• The Anatomy of a Web Application Attack
• Fuzzers
• Lab: Performing Web Application PenTesting steps

Module 12: Secure SDLC

• Secure-Software Development Lifecycle (SDLC)
• Methodology
• Web Hacking Methodology
• Lab: Case Study and Web Penetration Testing Assignment

Module 13: Cryptography

• Overview of Cryptography
• Key Management
• Cryptography Application
• True Random Generators (TRNG)
• Symmetric/Asymmetric Cryptography
• Digital Signatures and Certificates
• Hashing Algorithms
• XML Encryption and Digital Signatures
• Authorization Attacks
• Lab: Encryption in Secure Coding (Example for Java, PHP and .NET)

Labs:

Introduction & Instructions

• Exercise 1: Logging into WebGoat
• Exercise 2: Running WebScarab
• Exercise 3: Manipulating Data

Lab 1: Spoofing Authentication Cookies

Details not disclosed.

Lab 2: How to Perform Cross Site Scripting (XSS)

Details not disclosed.

Lab 3: Injection flaws

• Exercise 1: SQL Injection
• Exercise 2: String SQL Injection
• Exercise 3: String SQL Injection

Lab 4: Improper Error Handling

• Exercise 1 - Fail Open Authentication

Lab 5: Parameter Tampering

Details not disclosed.

Lab 6: Denial of Service

Details not disclosed.

Lab 7: Writing Java Secure Code

• Input Validation and Data Sanitization (IDS)
• IDS00-J. Sanitize untrusted data passed across a trust boundary
• Input Validation and Data Sanitization (IDS)
• IDS02-J. Canonicalize path names before validating them
• Input Validation and Data Sanitization (IDS)
• IDS03-J. Do not log unsanitized user input
• Input Validation and Data Sanitization (IDS)
• IDS04-J. Safely extract files from ZipInputStream
• Input Validation and Data Sanitization (IDS)
• IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method

Proficiency in web app programming in a language of your choice

The Certified Secure Web Application Engineer Certification Course is designed for those have a background in web application development and want to have the skill set to make their applications secure. While not required, we recommend being familiar with general cyber security topics, including those taught in our C)ISSO: Information Systems Security Officer course.