SEC201 – Defending Web Applications

Learn about our Defending Web Applications course.

Course Learning Objectives

In Defending Web Applications, you’ll begin by securing your web infrastructure with TLS, CA certificates, and firewalls. Next, you’ll explore authentication and authorization, covering password attacks, multi-factor authentication, and privilege escalation.

Session management follows, focusing on session vulnerabilities and client-side vs. server-side weaknesses. You’ll then dive into secure account management, addressing user enumeration, registration, “Remember Me” features, and CSRF attacks.

Data validation is next, with topics like input/output encoding, managing overflow, canonicalization, XSS, bind variables, and stored procedures. Lastly, you’ll cover monitoring and logging, including error messages, log security, and tools like SAST, DAST, and IAST for tracking web applications.

Description

Defending Web Applications has been designed as a 200-level course for Web Application Developers who have familiarity with AppSec Fundamentals and the OWASP Top 10. This course explores best practices for securing web applications by incorporating defense mechanisms in your code.

Audience Time Required
Software Developers

Tailored learning – 120 minutes total (approx.)

Course Outline

1. Web infrastructure security

  • HTTP
  • HTTPS and TLS
  • HTTP/2
  • How to Enable HTTP/2
  • CA certificates
  • How CA certificates work
  • Shared key encryption
  • Self-signed certificates
  • Web server setup
  • Web server directives
  • Disable unnecessary services
  • Enable X-Frame-Options
  • Enable CSP
  • Enable Strict-Transport-Security
  • Enable X-Content-Type-Options
  • Physical access to web server
  • Remote access to web server
  • Firewalls
  • Application and database separation
  • Traditional hardware firewalls
  • Next-generation firewalls
  • Cloud-delivered threat intelligence
  • Web application firewalls
  • Web application firewall deployment
  • How WAFs protect web applications
  • Zero-day exploits
  • Defending against zero-day exploits
  • Tracking zero-day exploits

2. Authentication and authorization

  • About authentication
  • Password-based authentication
  • Compromised login credentials
  • Brute force attacks
  • Phishing attacks
  • Dictionary attacks
  • AI-assisted password attacks
  • Newsflash: Stolen password
  • CAPTCHA
  • Password policy
  • Password managers
  • One-time passwords
  • Multi-factor authentication
  • Session-based authentication
  • Token-based authentication
  • Certificate-based authentication
  • OAuth and OpenID
  • Phishing-resistant authentication
  • AIOps
  • Employee security training
  • About roles
  • Privilege escalation
  • Newsflash: Privilege escalation
  • Role-based access control
  • Server-side validation of roles

3. Session management

  • Session management
  • Session tokens
  • Sessions as tickets
  • Cookies
  • Security concerns
  • Client and server-side issues
  • How do users get fooled
  • Session hijacking
  • Session spoofing
  • Session fixation attack
  • Sequential tokens
  • Repeating or exhausted tokens
  • Time-driven token generation
  • Predictable sessions
  • Newsflash: Twitter (X) data breach
  • Defending against token and cookie vulnerabilities
  • Assign a new session token
  • Best practices for securing session ID tokens
  • Use JSON web tokens
  • JWT refresh tokens
  • Server-side tokens
  • HTTP verb tampering
  • Web cookie attributes
  • Use multifactor authentication

4. Secure account management

  • User enumeration
  • Implement account management features securely
  • Secure your password storage
  • Use strong password encryption
  • Add a unique salt
  • Secure your user registration
  • Remember Me
  • Best practices
  • Secure password reset feature
  • Cross-Site Request Forgery
  • Defending against CSRF

5. Data validation

  • Trustworthy user data
  • Types of input validation attacks
  • Buffer overflow attacks
  • Buffer overflow defenses
  • Canonicalization attack
  • Canonicalization attack defenses
  • Cross-site scripting attack
  • Cross-site scripting attack defenses
  • SQL injection attack
  • SQL injection attack defenses
  • Denylisting and allowlisting
  • Output encoding
  • Bind variables and stored procedures
  • Client-side vs. server-side validation

6. Logging and monitoring

  • Log and error messages
  • Information disclosure scenario – error message
  • Information disclosure scenario – solution
  • Storage of sensitive data
  • Sensitive data types
  • Sanitizing logfile data
  • Adding contextual data
  • Centralizing log management
  • Quick debugging and application history
  • Monitoring of events
  • Web application security tools
  • SAST
  • DAST
  • DAST tools
  • IAST
  • IAST tools
  • Penetration testing
  • Outsourcing penetration testing
  • Protecting your digital assets