This course is designed to equip students with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more. On the final day of training, students will complete a real world hacking exercise on a live web application.
Upon completion, attendees should have the skills to perform the following:
- Identify application security vulnerabilities in any software application
- Review software architecture diagrams and identify attack points
- Perform web application penetration testing
- Design controls to defend against application vulnerabilities
- Identify vulnerabilities as they relate to the OWASP Top 10
- Perform advanced attacks against web applications
- Perform security code reviews
- Develop security test scripts
- Build a web hacking toolbox
- Integrate security best practices into the Software Development Lifecycle (SDLC)
- Communicate to both technical and non-technical individuals concerning application vulnerabilities
Objective Of Labs:
This is an intensive hands-on class; you will spend 50% of student class time performing labs focusing on both the OWASP model as well as the technicalities that detail PCI compliance in respects to secure coding.
This 4-day course retails for $3,500.
Learning Objectives
COURSE DETAILS:
Module 0: Web Application Intro
Module 1: Software Security Explained
Module 2: Risk Management
Module 3: Secure Architecture Design
Module 4: OWASP Top 10
Module 5: Threat Modeling
Module 6: Software Security Vulnerabilities
Module 7: Other Vulnerabilities
Module 8: Overview of Secure Coding
Module 9: Secure Coding Principles
Module 10: Secure Software Development Lifecycle
Module 11: PCI Data Security Standard
Module 12: Web 2.0
Module 13: Other Key Items
Module 14: Selling Security to Management
Module 15: Web Application Penetration Testing
LAB CONTENT
Module 1 - Environment Setup and Architecture
Module 2 - OWASP TOP 10 2013
Module 3 - Threat Modeling
Module 4 - Application Mapping & Analysis
Module 5 - Authentication and Authorization attacks
Module 6 - Session Management attacks
Module 9 - AJAX Security
Module 10 - Code Review and Security Testing
Lab 10-1 - Code Review
Lab 10-2 Security Test Scripts
Lab 10-3 Writing Java Secure Code
Annex 11: Alternatives Labs
Lab 11-1: WebGoat & Webscarab
Lab 11-2: WebGoat - Cross Site Request Forgery (CSRF)
Lab 11-3: Missing Function Level Access Control
Lab 11-4: Perform Forced Browsing Attacks
Framework Connections
Specialty Areas
- Cyber Defense Analysis
- Software Development
- Systems Analysis
- Test and Evaluation
- Vulnerability Assessment and Management
Feedback
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.