Topics covered include Secure HTTP Headers, Access Control, Logic Flaws, Platform Configuration, Authentication design and Implementation, Cloud-Based Attacks and Defences, OWASP Top 10, Securely Integrating Web Applications with Cloud Platforms, Modern Cloud-Based Technologies, SOAP/REST, Web Application Firewalls, and Common Application Coding Errors.
Training is aligned to support individuals seeking to undertake the GIAC Certified Web Application Defender (GWEB) exam.
This training can be delivered virtually, at our London or Bristol facilities, or at our clients’ premises; training is typically for group bookings only.
Certification
PGI Cyber Academy – Completion Certificate
Aim
By the end of this training, you will have discovered the key challenges faced when securing web applications and how these vulnerabilities affect modern technologies. You will also have learnt the key skills to be able to protect against the various threats, and consolidated your technical security skills.
Audience
Intermediate-level cyber security practitioners who wish to learn the knowledge and skills required to analyse web applications for vulnerabilities and protect against their threats. Example roles might include:
- Software assessors
- Software / application developers
- Technical security architects
- Penetration testers
- Security practitioners which have responsibilities for web application security
Learning outcomes
- Evaluate cyber security considerations for database systems.
- Implement application firewall concepts and functions.
- Understand how to use encryption algorithms.
- Determine best use of architectural concepts and patterns.
- Understand which applications can log errors, exceptions, and application faults.
- Know how to utilise technologies and tools to explore, analyze, and represent data.
- Understand web filtering technologies.
- Develop a security mindset for website types, administration, functions, and content management systems.
- Identify attack methods and techniques.
- Recognise and interpret malicious network activity in traffic.
- Review logs to identify evidence of intrusions and other suspicious behavior.
- Audit firewalls, routers, and intrusion detection systems.
- Identify a network anomaly.
- Apply cryptography algorithms and techniques to protect data, systems, and networks.
Prerequisites
Knowledge of:
- Authentication, authorisation and access control methods.
- Programming language structures and logic.
- Extensible Markup Language (XML) schemas.
- Physical and logical network devices and infrastructure.
- Database management systems, query languages, table relationships and views.
- An organisation’s evaluation and validation requirements in relation to cyber security risk management.
- Web services.
- Secure coding techniques.
- Hacking methodologies.
- Cyber security controls related to the use, processing, storage, and transmission of data.
- An organisation’s local and wide area network connections and the risks they pose to its cyber security.
- An organisation’s policies and standard operating procedures relating to cyber security.
Skills in:
- Conducting vulnerability scans and identifying vulnerabilities in security systems.
- Designing countermeasures for identified security risks.
- Evaluating the adequacy of security designs.
- Using virtual private network devices and encryption.
- Securing network communications.
- Recognizing and categorizing types of vulnerabilities and associated attacks.
Syllabus
This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:
Web Fundamentals and Security Configuration
- Introduction to HTTP protocol
- Overview of web technologies
- Web application architecture
- Database
- Flat File database
- Relational database
- Securing modern database systems
- Database development
- Database remediation
- Attack trends
- Web application firewalls
- Platform configurations for web applications
Defence Against Input Related Threats
- OWASP Top Ten
- Input-related vulnerabilities in web applications
- API and Unauthenticated API
- Server-side Template Injection
- Insecure Deserialization
- SQL injection
- Cross-site request forgery
- Cross-site scripting vulnerability and defences
- File upload handling
- Business logic and concurrency
Web Application Authentication and Authorisation
- Authentication vulnerabilities and defence
- Access control, Authorization vulnerabilities and defence
- Multifactor authentication
- SSL vulnerabilities, testing and proper encryption use in web applications
- Session vulnerabilities and testing
- Credential stuffing and Re-use attacks
Web Services and Front-End Security
- Honey Tokens
- XML security and parsing
- AJAX technologies overview
- AJAX attack trends and common attacks
- Web services overview
- REST and SOAP security
- Web Application Firewall (WAF)
- Browser-based defence such as Content Security Policy
- Securing Content Management Systems (CMS)
Cutting Edge Web Security
- Clickjacking
- Server-Side Request Forgery (SSRF)
- HTML5 security
- Cross Origin Resource Sharing (CORS)
- Security testing
- IPv6 impact on web security
- System Logging and Security Information and Event Management (SIEM)
Exam Preparation