Module 1: Web Application – Security Basics
- What is Security?
- What is Secure Coding ?
- Why Anti-virus, Firewall, IPS, IDS is not enough to stop application hacking?
- Why do you need a Web Application Firewall?
- Protocol Basics of HTTP and HTTPS
- Stateless protocol
- Why Cookies and/or Sessions are an integral part of web applications?
- Issues in the protocol structures of web
- A Holistic approach to Security
- Secure the Network, Host & Application
- Cyber Kill Chain
- Web application Security Landscape
- RACI Matrix
- Application Vulnerability Attacks (Case Study and Discussion)
Module 2: Threat Modeling
- Introduction to Threat Modeling
- STRIDE Threat Model
- PASTA Threat Model
- LINDDUN Threat Model
- CVSS Threat Model
- Security Architecture Design Principles : Security by Design, Privacy by Design
- Threat Modeling an application using STRIDE tool: DEMO
Module 3 : Principles of Secure Development
The 8 Principles of Secure Development are basic foundation blocks for Secure Programming. Generally, these 8 principles are not followed during the Software Development process resulting in applications with tons of vulnerabilities that are easily exploited by hackers/intruders
- Input Validation,
- Output Validation,
- Error Handling,
- Authentication and Authorization,
- Session Management,
- Secure Communications,
- Secure Storage and
- Secure Resource Access
Module 4: OWASP & SANS Top Web Application Vulnerabilities – Attacks & Defenses
Hands-on Labs on Attacks and Defenses :
- SQL Injection,
- Cross Site Scripting,
- Cross Site Request Forgery,
- LDAP Injection,
- Command Injection,
- Parameter/Form Tampering,
- Payment Gateway hacking
- XML external entities (XXE)
- Improper Error Handling,
- unvalidated Input,
- Insecure deserialization
- Directory Traversal,
- Cookie Poisoning,
- Insecure storage,
- Information Leakage,
- Denial of Service,
- Broken access control
- Log Tampering,
- Broken Access Control,
- Broken Session Management,
- Session Fixation,
- Security Misconfiguration.
- File Upload and Download and many more
Module 5: Third Party Libraries and API Security
- Advantages & Disadvantages
- Wrapping Third Party API
- Top 10 Third Party Libraries
- API Security : Common Attacks and Defenses
- API Security Tools
Module 6: Secure Code Testing
- Static Application Security Testing
- Dynamic Application Security Testing
- Interactive Application Security Testing
- Automatic and Manual Vulnerability Scanning with W3af, Wapiti, Nikto, BurpSuite, etc.
- Password Cracking
- HTTP DOS
- Automated and Manual Exploitation of Web Vulnerabilities using tons of Scripts
- Vulnerability Assessment reporting with Remediations and Mitigations