Security experts agree that the least effective approach to security is ""penetrate and patch"". It is far more effective to ""bake"" security into an application throughout its lifecycle. After spending significant time examining a poorly designed (from a security perspective) web application, developers are ready to learn how to build secure web applications starting at project inception. The final portion of this course builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications from the beginning of the software lifecycle. The Secure Web Application Development Overview is geared for web developers and technical stakeholders who need to produce secure web applications, integrating security measures


* Actual course outline may vary depending on offering center. Contact your sales representative for more information.

Learning Objectives

Students who attend Secure Web Application Development will gain an understanding of how to recognize actual and potential software vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency. This course introduces most common security vulnerabilities faced by web applications today. Each vulnerability is examined from a coding perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses.

Guided by our application security expert, attendees will explore how to:
Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
Identify defect/bug reporting mechanisms within their organizations
Setup and use various tools and techniques to determine a web application’s operational environment
Setup and use various tools and techniques to enumerate all aspects of a web application
Setup and use various tools and techniques to scan a web application for vulnerabilities
Work with specific tools for targeted vulnerabilities
Avoid common mistakes that are made in bug hunting and vulnerability testing
Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
Develop an appreciation for the need and value of a multilayered defense in depth
Understand potential sources for untrusted data
Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
To test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
Prevent and defend the many potential vulnerabilities associated with untrusted data
Understand the vulnerabilities of associated with authentication and authorization
Detect, attack, and implement defenses for authentication and authorization functionality and services
Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
Detect, attack, and implement defenses against XSS and Injection attacks
Understand the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or mitigate those risks
Learn the strengths, limitations, and use for tools such as code scanners, dynamic scanners, and web application firewalls (WAFs)

  • Introduction: Misconceptions

  • Security: The Complete Picture
    Seven Deadly Assumptions
    Anthem, Sony, Target, Heartland, and TJX Debriefs
    Causes of Data Breaches
    Meaning of Being Compliant
    Verizon’s 2015 Data Breach Report
    2015 PCI Compliance Report

  • Lesson: Security Concepts

  • Motivations: Costs and Standards
    Open Web Application Security Project
    Web Application Security Consortium
    CERT Secure Coding Standards
    Assets are the Targets
    Security Activities Cost Resources
    Threat Modeling
    System/Trust Boundaries

  • Lesson: Principles of Information Security

  • Security Is a Lifecycle Issue
    Minimize Attack Surface Area
    Layers of Defense: Tenacious D
    Consider All Application States
    Do NOT Trust the Untrusted

  • Lesson: Unvalidated Input

  • Buffer Overflows
    Integer Arithmetic Vulnerabilities
    Unvalidated Input: From the Web
    Defending Trust Boundaries
    Whitelisting vs Blacklisting

  • Lesson: Overview of Regular Expressions

  • Regular Expressions
    Working With Regexes in Java
    Applying Regular Expressions

  • Lesson: Broken Access Control

  • Access Control Issues
    Excessive Privileges
    Insufficient Flow Control
    Unprotected URL/Resource Access
    Examples of Shabby Access Control
    Session and Session Management

  • Lesson: Broken Authentication

  • Broken Quality/DoS
    Authentication Data
    Username/Password Protection
    Exploits Magnify Importance
    Handling Passwords on Server Side
    Single Sign-on (SSO)

  • Lesson: Cross Site Scripting (XSS)

  • Persistent XSS
    Reflective XSS
    Best Practices for Untrusted Data

  • Lesson: Injection

  • Injection Flaws
    SQL Injection Attacks Evolve
    Drill Down on Stored Procedures
    Other Forms of Injection
    Minimizing Injection Flaws

  • Lesson: Error Handling and Information Leakage

  • Fingerprinting a Web Site
    Error-Handling Issues
    Logging In Support of Forensics
    Solving DLP Challenges

  • Lesson: Insecure Data Handling

  • Protecting Data Can Mitigate Impact
    In-Memory Data Handling
    Secure Pipes
    Failures in the SSL Framework Are Appearing

  • Lesson: Insecure Configuration Management

  • System Hardening: IA Mitigation
    Application Whitelisting
    Least Privileges
    Secure Baseline

  • Lesson: Direct Object Access

  • Dynamic Loading
    Direct Object References

  • Lesson: Spoofing and Redirects

  • Name Resolution Vulnerabilities
    Fake Certs and Mobile Apps
    Targeted Spoofing Attacks
    Cross Site Request Forgeries (CSRF)
    CSRF Defenses are Entirely Server-Side
    Safe Redirects and Forwards

  • Lesson: Understanding What’s Important

  • Common Vulnerabilities and Exposures
    OWASP Top Ten for 2013
    CWE/SANS Top 25 Most Dangerous SW Errors
    Monster Mitigations
    Strength Training: Project Teams/Developers
    Strength Training: IT Organizations

  • Lesson: Defending XML

  • XML Signature
    XML Encryption
    XML Attacks: Structure
    XML Attacks: Injection
    Safe XML Processing

  • Lesson: Defending Web Services

  • Web Service Security Exposures
    When Transport-Level Alone is NOT Enough
    Message-Level Security
    WS-Security Roadmap
    XWSS Provides Many Functions
    Web Service Attacks
    Web Service Appliance/Gateways

  • Lesson: Defending Rich Interfaces and REST

  • How Attackers See Rich Interfaces
    Attack Surface Changes When Moving to Rich Interfaces
    Bridging and its Potential Problems
    Three Basic Tenets for Safe Rich Interfaces
    OWASP REST Security Recommendations

  • Lesson: SDL Process Overview

  • Software Security Axioms
    Security Lifecycle – Phases

  • Lesson: Applying Processes and Practices

  • Awareness
    Application Assessments
    Security Requirements
    Secure Development Practices
    Security Architecture/Design Review
    Security Code Review
    Configuration Management and Deployment
    Vulnerability Remediation Procedures

  • Lesson: Risk Analysis

  • Threat Modeling Process
    1. Identify Security Objectives
    2. Describe the System
    3. List Assets
    4. Define System/Trust Boundaries
    5. List and Rank Threats
    6. List Defenses and Countermeasures

  • Lesson: Testing Tools and Processes

  • Security Testing Principles
    Black Box Analyzers
    Static Code Analyzers
    Criteria for Selecting Static Analyzers

  • Lesson: Testing Practices

  • OWASP Web App Penetration Testing
    Authentication Testing
    Session Management Testing
    Data Validation Testing
    Denial of Service Testing
    Web Services Testing
    Ajax Testing


This is an introductory-level course designed for technical application project stakeholders who wish to get up and running on developing well defended web applications. Real-world programming experience is highly recommended for code reviews.




Introduction to Web Application Security – A Technical Overview Seminar


Length: 2.0 days (16 hours)


Not Your Location? Change

Course Schedule:

Schedule select
10:00 AM ET -
6:00 PM ET
Filling Fast
Schedule select
10:00 AM ET -
6:00 PM ET
Filling Fast
Schedule select
10:00 AM ET -
6:00 PM ET
Filling Fast