Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Securing Web Applications Overview
Securing Web Applications Overview is geared for web developers and technical stakeholders who need to produce secure web applications, integrating security measures into the development process from requirements to deployment and maintenance. This overview-level course explores core concepts and challenges in web application security, showcasing current, real-world examples that illustrate the potential consequences of not following these best practices. Go beyond theory and learn practical skills directly applicable to your work: ethical hacking, bug hunting, detection, and mitigation of threats to authentication and authorization functionalities. You'll understand the mechanics and threats of Cross-Site Scripting (XSS) and Injection attacks and comprehend the risks and mitigation strategies associated with XML processing, software uploads, and deserialization. The final portion of this course builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications from the beginning of the software lifecycle.
Course Overview
- Basic understanding of web development and web architecture
- Some familiarity with basic programming concepts.
- Basic understanding of web security concepts.
8890 McGaw Road
Suite 200
Columbia, MD 21045
625 W Adams Street
Chicago, IL 60661
5908 Headquarters Drive
Suite 400
Plano, TX 75024
201 N Franklin St
Floor 37
Tampa, FL 33602
40 E. Rio Salado Parkway
Suite 200
Tempe, AZ 85281
- Providers
- Courses
- Course and Provider Quantity
Learning Objectives
- Perform hacking and bug hunting in a safe and appropriate manner.
- Identify defect/bug reporting mechanisms within their organizations.
- Setup and use various tools and techniques to determine a web application’s operational environment.
- Setup and use various tools and techniques to enumerate all aspects of a web application and vulnerabilities.
- Work with specific tools for targeted vulnerabilities.
- Determine common mistakes that are made in bug hunting and vulnerability testing.
- Define concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit.
- Develop an appreciation for the need and value of a multilayered defense in depth.
- Determine potential sources for untrusted data.
- Distinguish the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections.
- Determine the existence of and effectiveness of layered defenses to test web applications with various attack techniques.
- Prevent and defend potential vulnerabilities associated with untrusted data.
- Confirm the vulnerabilities associated with authentication and authorization.
- Detect, attack, and implement defenses for authentication, authorization, functionality and services as well as XSS and Injection attacks.
- Describe the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks.
- Assess the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or mitigate those risks.
- Comprehend the strengths, limitations, and use for tools such as code scanners, dynamic scanners, and web application firewalls (WAFs).
- Apply techniques and measures that can be used to harden web and application servers as well as other components in your infrastructure
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):
Competency Areas
Feedback
If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@mail.cisa.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.