C)SWAE (Certified Secure Web Application Engineer)

Security/Informatie Beveiliging trainingen

> Security

Beschikbare leervormen - Available learning methods C)SWAE training
classroom-study
   
 
 
 
 
 
Course duration                 Course price                   Corresponding exam
4 days   EUR 2.995,00 excl. BTW/VAT   C)SWAE- Certified Secure Web Application Engineer

This C)SWAE training is designed to equip attendees with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will gain detailed knowledge of what softStudents will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.On the final day of training, students will complete a real world hacking exercise on a live web application.

BENEFITS OF C)SWAE COURSE

Graduates of the Mile2 Certified Secure Web Application Engineer training obtain real world security knowledge that enables them to recognize vulnerabilities, exploit system weaknesses and help safeguard against threats.

Experience Level:
-
Geen data hier?:
Vraag een sessie aan via info@one2train.nl

 

C)SWAE OBJECTIVE

The internet is one of the most dangerous places to do business today. Every day, organizations and government fall victim to internet based attacks. In many cases, attacks could be easily thwarted but hackers, organized criminal gangs, and foreign agents are able to exploit weaknesses in web applications and architecture. The Secure Web programmer knows how to identify, mitigate and defend against all attacks, through designing and building systems that are resistant to failure. The secure web application developer knows how to develop web applications that are not subject to common vulnerabilities, and how to test and validate that their applications are secure, reliable and resistant to attack. The Secure Web Application Engineer course provides the developer with a thorough and broad understanding of secure application concepts, principles and standards. The developer will be able to design, develop and test web applications that will provide reliable web services that meet functional business requirements and satisfy compliance and assurance needs.

UPON COMPLETION

Upon completion, attendees should have the skills to perform the following:

  • Identify application security vulnerabilities in any software application
  • Review software architecture diagrams and identify attack points
  • Perform web application penetration testingDesign controls to defend against application vulnerabilities
  • Identify vulnerabilities as they relate to the OWASP Top 10
  • Perform advanced attacks against web applications
  • Perform security code reviews
  • Develop security test scripts
  • Build a web hacking toolbox
  • Integrate security best practices into the Software Development Lifecycle (SDLC)
  • Communicate to both technical and non-technical individuals concerning application vulnerabilities

Prerequisites:

  • A minimum of 12 months experience in networking technologies
  • Sound knowledge of TCP/IP
  • Knowledge of Microsoft packages
  • Network+, Microsoft, Security+
  • Basic Knowledge of Linux is essential

Certification Exam:

C)SWAE- Certified Secure Web Application Engineer

Certification Track:

  • Certified Secure Web App Engineer
  • Certified Pen Testing Engineer
  • Certified Pen TestingConsultant
  • Certified Digital Forensics Examiner

DETAILED MODULE DESCRIPTION

  • Module 1
    • Web Application Security
    • Web Application Technologies and Architecture
    • Application Flaws and Defense Mechanisms
    • The Open Web Application Security Project (OWASP)

  • Module 2
    • Application Mapping
    • Threat Modeling
    • Architecture Risk Analysis
    • Lab: Threat Modeling and Architecture Risk Analysis

  • Module 4
    • Application Security Toolbox
    • Setting up a Testing Environment
    • Lab: Setting up a Security Testing Environment

  • Module 5
    • Client Side Attacks
    • Authentication Attacks
  • Module 6
    • Session Management Attacks
    • Access Control Attacks
    • Environment Configuration Attacks
    • Lab: Session Management, Access Controls and Configuration Attacks

  • Module 7
    • Application Logic Attacks
    • Information Disclosure Exploits
    • Data Transmission Attacks
    • Lab: Application Logic, Information Disclosure and Data Transmission Attacks

  • Module 8
    • AJAX Attacks
    • Web Services Attacks
    • Application Server Attacks
    • Lab: AJAX, Web Services and Server Attacks

  • Module 9
    • Insecure Code Discovery and Mitigation
    • Developing Security Testing Scripts
    • Lab: Performing Code review and Building Security Test Scripts

  • Module 10
    • Secure-Software Development Lifecycle (SDLC) Methodology
    • Web Hacking Methodology

Lab: Case Study and Web Penetration Testing Assignment

Part II - Web Application

Introduction    

Intro Lab - Application Overview      

Exercise 1: Logging into WebGoat   

Exercise 2: Running WebScarab     

Exercise 3: Manipulating Data         

Lab 1 – Spoofing Authentication Cookies    

Lab 2: How to Perform Cross Site Scripting (XSS)

Lab 3 – Injection flaws          

Exercise 1: SQL Injection

Exercise 2: String SQL Injection      

Exercise 3: String SQL Injection      

Lab 4 – Improper Error Handling      

Exercise 1 - Fail Open Authentication         

Lab 5 - Parameter Tampering

Lab 6 - Denial of Service 

Part III- Writing Java Secure Code

Input Validation and Data Sanitization (IDS)
IDS00-J. Sanitize untrusted data passed across a trust boundary

Input Validation and Data Sanitization (IDS)
IDS02-J. Canonicalize path names before validating them

Input Validation and Data Sanitization (IDS)
IDS03-J. Do not log unsanitized user input

Input Validation and Data Sanitization (IDS)
IDS04-J. Safely extract files from ZipInputStream

Input Validation and Data Sanitization (IDS)
IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method