About the course
Web applications are the foundation of modern business and are under constant attack. This 2-day course is designed for any developer, architect, or security professional who needs to understand and address the critical risks inherent in web app development. The training provides a deep dive into common web vulnerabilities, heavily informed by the OWASP Top 10, equipping participants with the practical skills and knowledge to build more secure applications, regardless of their technology stack.
The course begins by integrating security effectively throughout the Software Development Lifecycle (SDL). Participants will delve into concepts such as threat modeling, web-focused attack surface analysis, and utilizing the right security tools. A central component is a hands-on deep dive into each of the OWASP Top 10 risks, including Injection, Broken Access Control, and Security Misconfiguration. For each category, you will gain a detailed understanding of how a vulnerability can be exploited and learn to apply practical mitigation techniques.
Beyond the OWASP Top 10, we will cover essential countermeasures and explore additional risks. This includes data protection mechanisms like cryptography, understanding other vulnerabilities such as Clickjacking, and implementing secure auditing and logging solutions. The course reinforces learning through practical exercises and discussions, concluding by highlighting how to apply secure development principles in real-world scenarios.
Instructor-led online and in-house face-to-face options are available - as part of a wider customised training programme, or as a standalone workshop, on-site at your offices or at one of many flexible meeting spaces in the UK and around the World.
-
- Understand the fundamental importance of web application security, identify key risks, and explain its impact on business.
- Integrate security effectively throughout the Web Application Secure Development Lifecycle (SDL), including performing risk analysis, threat modelling, and defining security requirements.
- Understand and apply various web application security testing techniques, including Static Analysis, Dynamic Analysis, and Fuzz Testing.
- Identify, understand, and implement general mitigation techniques for each of the OWASP Top 10 Web Application Security Risks (2021).
- Understand and prevent other common web vulnerabilities such as Clickjacking and Response Splitting.
- Gain awareness of additional significant software security risks listed in the CWE/SANS Top 25 Most Dangerous Software Errors.
- Implement general Data Protection Mechanisms for web applications, including cryptography and tokenisation solutions.
- Implement secure auditing and logging solutions for web applications.
- Understand common techniques for Exploiting Authentication and discuss general language/platform-specific security considerations and data devaluation concepts.
- Apply learned secure development principles in real-world web application scenarios.
-
This 3-day intensive hands-on training course is designed for IT professionals involved in building, securing, and testing web applications, regardless of their specific technology stack (e.g., .NET, Java, Python, Node.js, PHP, Ruby, etc.). It is ideal for:
Web Application Developers from any background who want to write secure code and understand web-specific vulnerabilities and countermeasures.
Web Architects responsible for designing secure web application architectures and security controls.
Security professionals needing to understand common web application security risks, testing, and countermeasures.
Quality Assurance (QA) Engineers and Testers involved in identifying and testing for security vulnerabilities in web applications.
Development team leads and managers overseeing web application projects.
-
Participants should have:
Experience developing web applications or familiarity with web application architecture and concepts (client-server, HTTP, sessions, cookies, etc.).
A basic understanding of web technologies (HTML, CSS, JavaScript).
Familiarity with basic security concepts is helpful but not strictly required.
We can customise the training to match your team's experience and needs - with more time and coverage of fundamentals for newer developers, for instance.
-
This Web App Security course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).
Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.
-
Introduction to Application Security
What is Application Security and why is it so important?
What does it mean to your business? The business impact of insecure software.
Secure Development Lifecycle (SDL)
Analysing security and privacy risk in the development lifecycle.
Attack surface analysis for web applications.
Threat Modeling for web applications: Identifying threats and vulnerabilities.
Identifying the right tools for web application security analysis and testing.
Enforcing banned functions and secure coding policies.
Static analysis techniques for web application code.
Dynamic / Fuzz Testing techniques for web applications.
Defining a Response Plan for web security incidents.
Final Security Review processes.
Hands-On/Tool Demo: Introduction to web security testing tools (e.g., OWASP ZAP).
Hands-on with the OWASP Top 10 Web Application Security Risks (Part 1)
Overview of the OWASP Top 10 (2021) list and its importance.
A01:2021 - Broken Access Control: Understanding access control vulnerabilities and general mitigation.
Hands-On/Lab: Identifying and understanding Broken Access Control.
A02:2021 - Cryptographic Failures: Protecting sensitive data in transit and at rest.
Hands-On/Lab: Understanding Cryptographic Failures.
A03:2021 - Injection: Understanding injection flaws (SQL, OS, LDAP, etc.) and general prevention techniques.
Hands-On/Lab: Identifying and understanding Injection vulnerabilities.
A04:2021 - Insecure Design: Identifying design flaws that lead to security issues.
Discussion: Analysing insecure design patterns.
A05:2021 - Security Misconfiguration: Understanding risks from improper setup and defaults.
Hands-On/Lab: Identifying common Security Misconfigurations.
Hands-on with the OWASP Top 10 Web Application Security Risks (Part 2)
A06:2021 - Vulnerable and Outdated Components: Managing dependencies and patching.
Hands-On/Lab: Using tools to identify vulnerable components.
A07:2021 - Identification and Authentication Failures: Understanding broken authentication and session management.
Hands-On/Lab: Understanding Authentication Failures.
A08:2021 - Software and Data Integrity Failures: Risks related to insecure CI/CD and data handling.
Discussion: Analysing data integrity risks.
A09:2021 - Security Logging and Monitoring Failures: Importance of logging, monitoring, and incident response.
Discussion: Best practices for security logging.
A10:2021 - Server-Side Request Forgery (SSRF): Understanding SSRF and general prevention.
Hands-On/Lab: Identifying and understanding SSRF.
Beyond OWASP
Data Protection Mechanisms: Concepts of cryptography, hashing, and secure storage.
Tokenisation solutions for protecting sensitive data.
Fuzz testing and other tools for vulnerability discovery (overview).
Understanding Clickjacking vulnerabilities and prevention techniques.
Understanding Response Splitting vulnerabilities and prevention techniques.
CWE/SANS Top 25 Most Dangerous Software Errors: Overview of other critical risks.
Exploiting authentication: Common attack vectors (e.g., brute force, credential stuffing - discussed conceptually).
Language issues: Understanding how language/platform specific features can introduce risks (conceptual discussion).
Data devaluation strategies: Techniques to reduce the value of data to attackers (e.g., anonymisation, minimisation).
Auditing and Logging Solutions: Implementing secure logging for incident detection and forensics.
Hands-On/Tool Demo: Exploring a specific testing tool in more depth (e.g., using OWASP ZAP for scanning).
Summary
Applying what you’ve learnt in the real world: Integrating security practices into daily development.
Understanding the business impact of insecure software revisited.
Course review and Q&A
-
OWASP Official Website: The primary source for web application security knowledge and projects.
OWASP Top 10 (Latest Version): Detailed information on the most critical web application security risks.
OWASP Cheat Sheet Series: Practical guidance on preventing specific vulnerabilities.
CWE/SANS Top 25 Most Dangerous Software Errors: A list of the most common and impactful programming errors.
OWASP ZAP (Zed Attack Proxy): A widely-used free and open-source web application security scanner.
Burp Suite Community Edition: A popular integrated platform for performing security testing of web applications.
Trusted by
