Web Applications Security - ESP-P-001
- Track: Software.
- Level: Practitioner level - Those who must incorporate security conscious practices into their daily processes
- Overview
With web applications becoming ubiquitous across every organisation, many are unaware of the potential risk they are exposing their organisation by implementing insecure applications. Insecure web applications can result in customer data exposure or downtime of critical systems, leading to significant financial and reputational damage to the organisation. As web applications bring with them new avenues for attack, so to must organisations be trained to understand and address these new risks.
Espion’s 1-day Web Applications Security Course is an introduction to the common security risks within web applications, with a series of practical exercises that will equip delegates with the knowledge required to identify and correct any exposures. The objective of this programme is to reduce the risk to the organisation posed by web applications by educating delegates in secure design and development practices, allowing them to understand, identify and eliminate these new risks before they result in damage the organisation.
- Pre-requisites
This course is aimed at anyone responsible for developing, managing, testing or maintaining web based applications as well as technical managers, team leaders or anyone else with a vested interested in ensuring the security of their web presence.
- Course duration
- 1 day
- Course dates
- Friday 13 November 2009
Ireland - Dublin - Friday 22 October 2010
Ireland - Dublin 
.- Course location
On-Site / Espion Training Center
- Content
Unit 1: Web Application Security
- As applications become increasingly complex, the risk of vulnerabilities within web application increases dramatically unless securely designed and developed.
Unit 2: Authentication
- We will discuss common issues with authentication mechanisms.
Unit 3: Session Management
- Maintaining session state is essential in all web application. However, attackers can exploit bad session management practices to gain access or escalate privileges within the application.
Unit 4: Authorisation
- Restricting access between users is increasingly important as web application increase in complexity and functionality. Ensure this segregation is critical in any web application.
Unit 5: Data Validation
- All user input should be treated as insecure until sanitised or validated to not contain malicious content. This is one of the most key elements in web application security.
Unit 6: Information Disclosure
- Comments and debugging information used by developers when troubleshooting issues can be a mine of information to potential attackers looking to understand the application and identify vulnerabilities.
Unit 7: Code Injection
- Interpreters provide additional processing outside of the application, when users input is involved in generating the query there exists the potential for an attacker to manipulate the logic. This includes such topics as SQL injection, command injection and XPATH injection.
Unit 8: Cross site Scripting
- In taking input from the user and sending it back to the browser without validation, the application is open to phishing and other scriptingattacks that appear completely legitimate to the user.
Unit 9: Path traversal
- Allowing user input to view, upload or delete a file, can compromise not just the application, but also the entire server.
Unit 10: OWASP Top Ten
- The OWASP Top Ten outlines the ten most common web application security vulnerabilities. Reviewing your applications against the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organisation into one that produces secure code.
Unit 11: Threat Modelling
- These methods allow you to effectively find and address the threats and vulnerabilities your application is exposed to.