Secure Web Application Development

This course teaches web application developers and architects how to build applications with strong security. It covers every major aspect of application and API security through modules that provide both design and coding advice. Hands-on labs help students learn concepts interactively. The focus is on strategies and tactics that secure software during development. Prerequisites include knowledge of HTML, JavaScript, and a server-side language. Major topics include information disclosure, authentication, sessions, authorization, secure data handling, cryptography, logging, web services security, and the secure development lifecycle.

Uploaded by

Mangesh Abnave

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

132 views

Secure Web Application Development

Uploaded by

Mangesh Abnave

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 3

SECURE WEB/API APPLICATION DEVELOPMENT

This course is designed to teach web application developers and architects how to build applications with
world-class security. QA engineers, IT security analysts, and IT risk managers can also benefit from this course.
Every major aspect of application security is covered, and each module includes both design and coding
advice. Hands-on labs are provided to help students master the concepts in a highly interactive setting. The
course focuses on application development strategies and tactics that secure software at the source.

Prerequisites
The course is contains coding examples in both Java and ASP.Net, but can be customized for any development
language. A working knowledge of HTML, JavaScript and any server-side programming language (ASP.Net, Java,
PHP, etc.) is recommended.

Security Principles Overview: Importance of Security in the Software Development Lifecycle

Regulations, Privacy and Compliance
Impact of Security Defects
Core Security Concepts
Security Design Principles

Information Disclosure Leakage in Web Technologies (HTML, HTTP, Files, Client-Side Objects, URLs,
Web Services)
Error Handling (Structured vs. Functional)
Google Hacking

Authentication Methods of Authentication

2-Factor Authentication
Single Sign-On
Common Authentication Attacks (Brute Force, Username Harvesting, etc.)
Implementing Secure Authentication – Design and Coding

Session Management Overview of Sessions

Threats to Sessions and Impact
Common Implementation Mistakes and Exploits (Interception, Prediction,
Brute Force, etc.)
Implementing Secure Sessions – Design and Coding

Authorization
and Access Control Methods of Access Control
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Rule-Based Access Control
Common Authorization Attacks (Parameter Tampering, Privilege Escalation,
Cross-Site Request Forgery, etc.)
Implementing Secure Authentication – Design and Coding

Secure Data Handling Overview of Data Handling

Integrity Validation
Data Validation
Business Rule Validation
Common Exploits (SQL Injection, Cross-Site Scripting, HTTP Response Splitting,
etc.)
Implementing Secure Data Handling – Design and Coding

Cryptography Hashing
Secure Password Storage
Symmetric and Asymmetric Encryption
Digital Signatures
Certificates
Key Distribution
SSL and Digital Certificates
Implementing Cryptography – Design and Coding

Logging Logging Overview

Threats and Considerations
Implementing Logging – Design and Coding

Web Service Security Simple Object Access Protocol (SOAP)

SOAP Related Protocols
Security Assertion Markup Language (SAML)
WS-Security
REpresentational State Transfer (REST)
REST Related Protocols
JSON vs XML
Implementing Secure Web Services – Design and Coding

Secure Application
Development Software Development Life Cycle (SDLC)
Threat Modeling
Application Risk Levels
Risk Assessment
STRIDE and DREAD
Severity Level Classifications
Web Application Security Tools
Web Application Security Resources
API SECURITY
This course is designed to teach web application developers and architects how to build applications with
world-class security. QA engineers, IT security analysts, and IT risk managers can also benefit from this course.
Every major aspect of application programming interface security is covered, and each module includes both
design and coding advice.

Module 1: Managed APIs

Module 2: Security by Design

Module 3: HTTP Basic/Digest Authentication

Module 4: Mutual Athentication with TLS

Module 5: Identity Delegation

Module 6: OAuth 2.0

Module 7: OAuth 2.0 MAC Token Profile

Module 8: OAuth 2.0 Profiles

Module 10: User Managed Access

Module 11: Federation

Module 12: OpenID Connect

Module 13: JWT, JWS and JWE

Module 14: Patterns and Practices

DEMO-Nagios Certified Professional - Core
No ratings yet
DEMO-Nagios Certified Professional - Core
9 pages
Web Application Development Dos and Donts
No ratings yet
Web Application Development Dos and Donts
18 pages
Edu 330 9x Datasheet
0% (1)
Edu 330 9x Datasheet
1 page
C Ase: Certified Application Security Engineer
0% (1)
C Ase: Certified Application Security Engineer
14 pages
Cloud Computing Basics - ACCENTURE
0% (2)
Cloud Computing Basics - ACCENTURE
2 pages
Oracle Hyperion Planning 11 Essentials Exam Topics
No ratings yet
Oracle Hyperion Planning 11 Essentials Exam Topics
1 page
The Architecture of The Symbian System Model
No ratings yet
The Architecture of The Symbian System Model
36 pages
Cisug
No ratings yet
Cisug
294 pages
Web Application Security
No ratings yet
Web Application Security
48 pages
API Security Testing
No ratings yet
API Security Testing
4 pages
Security Testing by OWASP Top 10
No ratings yet
Security Testing by OWASP Top 10
30 pages
Altoro PDF
No ratings yet
Altoro PDF
101 pages
Reflected Cross Site Scripting (XSS) Attacks
No ratings yet
Reflected Cross Site Scripting (XSS) Attacks
4 pages
PHP Security Checklist
No ratings yet
PHP Security Checklist
18 pages
Thick Client Application Security
No ratings yet
Thick Client Application Security
21 pages
PHP Security Crash Course - 2 - XSS
100% (4)
PHP Security Crash Course - 2 - XSS
58 pages
XSS Prevention Notes
No ratings yet
XSS Prevention Notes
5 pages
WebServices Testing0909
No ratings yet
WebServices Testing0909
5 pages
Course Highlights: Advanced Penetration Testing
No ratings yet
Course Highlights: Advanced Penetration Testing
2 pages
OWASP Mobile App Checklist v1.0
No ratings yet
OWASP Mobile App Checklist v1.0
3 pages
XSS Attacks and Defenses: John Mitchell
No ratings yet
XSS Attacks and Defenses: John Mitchell
44 pages
PHP Security Crash Course - 1 - Introduction
100% (1)
PHP Security Crash Course - 1 - Introduction
13 pages
Cross-Site Scripting: Computer and Network Security Seminar
No ratings yet
Cross-Site Scripting: Computer and Network Security Seminar
25 pages
API Penetration Testing
No ratings yet
API Penetration Testing
15 pages
Dvwa Sqlinjection
No ratings yet
Dvwa Sqlinjection
4 pages
Week 3 - SQL Injection
No ratings yet
Week 3 - SQL Injection
17 pages
PHP Security Crash Course - 6 - PHP Code Inclusion / Evaluation
100% (3)
PHP Security Crash Course - 6 - PHP Code Inclusion / Evaluation
23 pages
1 Corba Vs RMI Vs DCOM
100% (1)
1 Corba Vs RMI Vs DCOM
30 pages
PHP Security Crash Course - 5 - Session Management
100% (5)
PHP Security Crash Course - 5 - Session Management
28 pages
OWASP API Security Top 10 (2019)
No ratings yet
OWASP API Security Top 10 (2019)
31 pages
Ddos-Attacks Preparationdetectionmitigation Apricot 1361720605 PDF
No ratings yet
Ddos-Attacks Preparationdetectionmitigation Apricot 1361720605 PDF
41 pages
Network Security
No ratings yet
Network Security
68 pages
© 2019 Caendra Inc. - Hera For Waptxv2 - Xxe Labs
No ratings yet
© 2019 Caendra Inc. - Hera For Waptxv2 - Xxe Labs
16 pages
PHP Security CPanel
No ratings yet
PHP Security CPanel
5 pages
XSS
No ratings yet
XSS
4 pages
Guide To SSRF
No ratings yet
Guide To SSRF
6 pages
© 2020 Caendra Inc. - Hera For Waptxv2 - XML Injection Labs
No ratings yet
© 2020 Caendra Inc. - Hera For Waptxv2 - XML Injection Labs
10 pages
VAPT: - Vulnerability Assessments & Penetration Testing
No ratings yet
VAPT: - Vulnerability Assessments & Penetration Testing
2 pages
OWASPAppSecEU2006 WAFs WhenAreTheyUseful
No ratings yet
OWASPAppSecEU2006 WAFs WhenAreTheyUseful
44 pages
Lab - 1 - Network Scanning
No ratings yet
Lab - 1 - Network Scanning
1 page
Slide-5 (AWS - IAM)
No ratings yet
Slide-5 (AWS - IAM)
28 pages
Web Application Hacking Penetration Testing 5 Day Hands On Course Syllabus v2.0 New
No ratings yet
Web Application Hacking Penetration Testing 5 Day Hands On Course Syllabus v2.0 New
8 pages
Executive Summary: What Is Authentication, Authorization, and Accounting?
No ratings yet
Executive Summary: What Is Authentication, Authorization, and Accounting?
5 pages
API Testing Detailed Document
No ratings yet
API Testing Detailed Document
9 pages
WEB Pentesting - Update
No ratings yet
WEB Pentesting - Update
40 pages
OWASP Top 10 API Security Risks - 2023
No ratings yet
OWASP Top 10 API Security Risks - 2023
39 pages
4 Step Mitigation For Log4j Attacks
No ratings yet
4 Step Mitigation For Log4j Attacks
3 pages
OWASP Application Security Verification Standard 3.0.1 PDF
100% (1)
OWASP Application Security Verification Standard 3.0.1 PDF
70 pages
TLS and SSL
No ratings yet
TLS and SSL
27 pages
Corba Case Study
No ratings yet
Corba Case Study
7 pages
Penetration Testing Web Application - Web Application (In) Security
No ratings yet
Penetration Testing Web Application - Web Application (In) Security
2 pages
OWASP: Testing Guide v4 Checklist: Information Gathering Test Name
No ratings yet
OWASP: Testing Guide v4 Checklist: Information Gathering Test Name
26 pages
OWASP Top 10 - 2010 Presentation
No ratings yet
OWASP Top 10 - 2010 Presentation
41 pages
PHP Security, Part 2: John Coggeshall
No ratings yet
PHP Security, Part 2: John Coggeshall
5 pages
Pstools
100% (5)
Pstools
13 pages
Certified Information Security Professional - CISP-1337
No ratings yet
Certified Information Security Professional - CISP-1337
13 pages
Lab 3 Netcat
No ratings yet
Lab 3 Netcat
2 pages
Vapt
No ratings yet
Vapt
21 pages
Cybersecurity
No ratings yet
Cybersecurity
10 pages
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
No ratings yet
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
13 pages
Document 2 (6)
No ratings yet
Document 2 (6)
5 pages
WAS NOTES
No ratings yet
WAS NOTES
257 pages
WebApplication Unit 3
No ratings yet
WebApplication Unit 3
37 pages
Java and Web Application Security
No ratings yet
Java and Web Application Security
4 pages
CSWAE Version2
No ratings yet
CSWAE Version2
9 pages
Ov 5
No ratings yet
Ov 5
52 pages
Harjai CV Template Information Security
No ratings yet
Harjai CV Template Information Security
1 page
Subversion: Audience: Duration: Subversion Introduction
No ratings yet
Subversion: Audience: Duration: Subversion Introduction
3 pages
Web Security With SSL
No ratings yet
Web Security With SSL
2 pages
SLE221 SLES12 For SAP Applications Course Description PDF
No ratings yet
SLE221 SLES12 For SAP Applications Course Description PDF
2 pages
Operating System Accenture
No ratings yet
Operating System Accenture
3 pages
Linux KVM Virtualization: Detailed Course Outline: 1. Virtualization Basics
No ratings yet
Linux KVM Virtualization: Detailed Course Outline: 1. Virtualization Basics
2 pages
Web Security With SSL
No ratings yet
Web Security With SSL
2 pages
Ansible Advance Training
No ratings yet
Ansible Advance Training
3 pages
Vmware Vcloud Director: Install, Configure, Manage V9.X
No ratings yet
Vmware Vcloud Director: Install, Configure, Manage V9.X
2 pages
Linux Fundamentals Commands For: Created By: Mangesh Abnave
No ratings yet
Linux Fundamentals Commands For: Created By: Mangesh Abnave
61 pages
Shell Scripting Basic
No ratings yet
Shell Scripting Basic
3 pages
Control - M
No ratings yet
Control - M
4 pages
S Oracle SuperCluster For System Administrators Ed 2
No ratings yet
S Oracle SuperCluster For System Administrators Ed 2
2 pages
Network Essentials CCNA CAMEROON
No ratings yet
Network Essentials CCNA CAMEROON
4 pages
FastTrack To Red Hat Linux 7 System Administrator
No ratings yet
FastTrack To Red Hat Linux 7 System Administrator
3 pages
S.N.B.P International School: Formative Assessment - 2
No ratings yet
S.N.B.P International School: Formative Assessment - 2
2 pages
Oracle Redo Log Performance Issues and Solutions: Sun Hongda
No ratings yet
Oracle Redo Log Performance Issues and Solutions: Sun Hongda
8 pages
1Z0-061 Exam Dumps With PDF and VCE Download (1-15) PDF
100% (1)
1Z0-061 Exam Dumps With PDF and VCE Download (1-15) PDF
13 pages
Metropolitan Community College Course Outline
No ratings yet
Metropolitan Community College Course Outline
6 pages
Oracle Redo Log Performance Issues and Solutions: Sun Hongda
No ratings yet
Oracle Redo Log Performance Issues and Solutions: Sun Hongda
8 pages
Microsoft Exams MS-900
No ratings yet
Microsoft Exams MS-900
2 pages
SAP Basis Course Syllabus
50% (2)
SAP Basis Course Syllabus
4 pages
Aleena John: Your Designation
No ratings yet
Aleena John: Your Designation
1 page
4 1 R07 Sup Apr 2012
No ratings yet
4 1 R07 Sup Apr 2012
16 pages
Kickstart Instrument Control Software: Release Notes
No ratings yet
Kickstart Instrument Control Software: Release Notes
7 pages
CSP 740, CSE, IIT Jammu: Problem Description: Outline
No ratings yet
CSP 740, CSE, IIT Jammu: Problem Description: Outline
3 pages
5 Free Alternatives To Microsoft Word - Techrepublic
No ratings yet
5 Free Alternatives To Microsoft Word - Techrepublic
26 pages
Anatomy of Android Application
No ratings yet
Anatomy of Android Application
6 pages
Airport Connect Cute Eo HR
100% (1)
Airport Connect Cute Eo HR
2 pages
Test Case For Bank Applications
No ratings yet
Test Case For Bank Applications
8 pages
Queries
No ratings yet
Queries
4 pages
Bsi MD Validation and Verification
No ratings yet
Bsi MD Validation and Verification
39 pages
RDF Vs XML Reports
No ratings yet
RDF Vs XML Reports
3 pages
Campus Selection System Report File
50% (14)
Campus Selection System Report File
124 pages
Rank Booster JEE MAIN Physics Part 1 PDF
100% (1)
Rank Booster JEE MAIN Physics Part 1 PDF
132 pages
BF46B5E7 TravelMobileApps
No ratings yet
BF46B5E7 TravelMobileApps
15 pages
Word Skills Checklist Final
100% (2)
Word Skills Checklist Final
1 page
OSY Notes Vol 1 - Ur Engineering Friend
No ratings yet
OSY Notes Vol 1 - Ur Engineering Friend
68 pages
Sandeep Dwivedi SAP MII Cargill
No ratings yet
Sandeep Dwivedi SAP MII Cargill
6 pages
NASA Software Catalog 2019-20 PDF
0% (1)
NASA Software Catalog 2019-20 PDF
216 pages
Power BI Slides
No ratings yet
Power BI Slides
71 pages
CV Muguel
No ratings yet
CV Muguel
4 pages
Foreign Investment Application
No ratings yet
Foreign Investment Application
3 pages
IaC Security - Lab Guide
No ratings yet
IaC Security - Lab Guide
32 pages
Week 9 Lab Sheet - Cloud Computing Mobile Networks
No ratings yet
Week 9 Lab Sheet - Cloud Computing Mobile Networks
3 pages
MST121 Chapter A0 Starting Points
No ratings yet
MST121 Chapter A0 Starting Points
48 pages
Synopsis ON: Bank Management System
No ratings yet
Synopsis ON: Bank Management System
4 pages