Software Security Institute
Software Security Institute
Home > courses

Register For
Upcoming Events

No Events Scheduled

Developer 422 ::

Defending Web Applications Security Essentials

Overview

Defending Web applications is critical!

Traditional network defenses such as firewalls fail to secure Web applications which have to be available to large user communities. The amount and importance of data entrusted to Web applications is growing, and defenders need to learn how to secure it. DEV422 covers the OWASP Top 10 and will help you to better understand Web application vulnerabilities, thus enabling you to properly defend your organization's Web assets.

Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities will also be covered so you can ensure your application is tested for the vulnerabilities discussed in class.

The class goes beyond classic Web applications and includes coverage of Web 2.0 technologies like AJAX and web services.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation.

DEV422: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers and auditors who are interested in recommending proper mitigations to Web security issues, and infrastructure security professionals who have an interest in better defending their Web applications.

Sampling of Topics

  • Who Should Attend:
    • Application developers
    • Application security analysts or managers
    • Application architects
    • Penetration testers who are interested to learn about defense strategies
    • Security professionals who are interested in learning about application security
    • Auditors who need to understand defensive mechanisms in applications

Laptop

Students attending this course are required to bring their own laptops pre-configured per the instructions below. This must be done before class starts.

Minimum hardware requirements:

  • 1.5GHz processor
  • 512MB RAM (1GB highly recommended)
  • 3GB free hard disk space
  • CD-ROM drive
  • An unused USB slot

A laptop with Windows 2000, XP, or Vista is required with the latest Service Packs and patches.

Install the following software on the computer:

  • Java Runtime Environment (JRE) - please download from http://www.sun.com
  • Firefox browser - latest revision of version 3.5

Install VMware Player or VMware Workstation on the laptop. (GSX and ESX will not work.) VMware player can be downloaded for free at http://www.vmware.com.

You must have administrative privileges on the laptop with the ability to disable the host firewall (Windows firewall or other third party firewall) and anti-virus running on your desktop. At the beginning of class you will be given a Linux bootable CD. This CD will be booted within VMware as a virtual image.

The Windows host and Linux host need to talk to each other through the VMware network interface. A firewall could disallow such communication and render some of the exercises unsuccessful.

Questions regarding these laptop requirements can be directed to SANS at laptop_prep@sans.org.

Day Information

Day 1
Web Application Security Essentials

We begin day one with an overview of the software development life cycle and security. Proper security control and process during development is essential to having secure applications. We follow that up with an overview of the essential technologies that are at play in Web applications. You can't win the battle if you don't understand what you are trying to defend. We arm you with the right information so you can understand how Web applications work and the security concepts related to them.

We discuss the authentication aspect of Web applications in depth. The vulnerability of authentication is covered, followed by examples of exploitation and the mitigations that could be implemented in the short and long term. We complete the discussion by giving information on how to discover and test for the vulnerabilities.

Authorization is the last topic of discussion for the day. Making sure the application properly controls access to the appropriate resources is the goal of the discussion. You will learn the right way of planning for access during the development life cycle and the common pitfalls with access control. Similar to the discussion in authentication, we start with the vulnerabilities and then move on to mitigations and testing, followed by a section on the best practice on authorization.

Day 2
Web Application Security Essentials

Since the Internet does not provide a guarantee of secrecy of information being transferred on it, encryption is commonly used to protect the integrity and secrecy of information on the Web. We cover the security of data in transit or on disk and how encryption can help with securing that information in the context of Web application security. Advanced session topics like Cross-Site Request Forgery will also be covered.

We continue with a discussion about session management in Web applications. We will go over a hacker's technique in attacking the session mechanism and related defense strategies. The best practice of session security will be discussed to ensure your application's session management is as strong as possible.

Next we will cover business logic flaws and concurrency. These are difficult topics to detect by automated scanners, so it is essential for the security personnel to understand these problems and avoid them at all costs.

The day ends with some basic input-related flaws as well as SQL injection. The basic mechanics of these vulnerabilities are covered, followed by the real-world attack trends. Most importantly, we delve into the mitigation of these vulnerabilities and the best practice in avoiding these critical vulnerabilities.

Day 3
Web Application Security Essentials

Day three begins with a detailed discussion on Cross-Site Scripting, related mitigation, and testing strategy as well as HTTP response splitting.

The code in an application may be totally locked down; however, if the server setting is insecure, the server running the application can be easily compromised. Locking down the Web environment is an essential topic for discussion, so this basic concept of defending the platform and host is covered.

To enable any detection of intrusion, logging and error handling must be done correctly. We will discuss the correct approach to handling incidents and handling logs. We even dive further to cover the intrusion detection aspect of Web application security.

In the afternoon we turn our focus to the proactive defense mechanism so that we are ahead of the bad guys in the game of hack and defend. Topics such as file upload handling, intrusion detection, honeypot, redirection, extra in-depth authentication information, and practical input validation strategy will be covered. The afternoon material is designed to give you the extra edge in defending your application.

Day 4
Web Application Security Essentials

Day four of the course is dedicated to AJAX and Web services security. Asynchronous JavaScript and XML (AJAX) and Web services are currently the most active areas in Web application development. Security issues continue to arise as organizations are diving head first into insecurely implementing new Web technologies without first understanding them.

We cover the security issues, mitigation strategies, and general best practices for implementing AJAX and Web Services. We also examine real-world attacks and trends to give you a better understanding of exactly what you're protecting against. Discussion focuses on the Web services in the morning and AJAX technologies in the afternoon.