Skip Ribbon Commands
Skip to main content
Version HistoryVersion History

Course ID

CSWAE

Title

Certified Secure Web Application Engineer

Price

$3,495.00

Duration

5 Days

Audience

 

Level

 

Delivery Method

 

Software Assurance

 

Microsoft CPE

 

Course Audience

The Certified Secure Web Application Engineer Certification Course is designed for those have a background in web application development and want to have the skill set to make their applications secure. Job roles include positions such as:

Software Engineer
Web Application Developer
Mobile App Developer
Security Consultant


Course Objectives

​Upon CompletionStudents will:

Perform web application penetration testing to expose vulnerabilities.

Design & implement controls to defend against application vulnerabilities.

Integrate security best practices into the software development lifecycle

Be ready to sit for the C)SWAE certification exam.


Course Content

The C)SWAE is a four day course that will cover secure coding practices and testing for web applications. It is comprised of 10 Modules and an appendix which includes extra practice labs to perform outside of class to solidify secure coding practices.

Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.

On the final day of training, students will complete a real world hacking exercise on a live web application.


Course Description

​The Certified Secure Web Application Engineer course is designed to equip students with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.

On the final day of training, students will complete a real world hacking exercise on a live web application.

These secure coding skills are in desperate need today because the internet is one of the most dangerous places to do business.  There are countless cases of valuable information being stolen from businesses because there was a vulnerability in their web applications. When programmers don't understand the principles of secure coding, doors are open to those who do.


Course Prerequisites

​Proficiency in web app programming in a language of your choice.  

While not required, we recommend being familiar with general cyber security topics, including those taught in our C)ISSO: Information Systems Security Officer course.


Course Outline

​Web Application Security

Web Application Security

Web Application Technologies and Architecture

Secure Design Architecture

Application Flaws and Defense Mechanisms

Defense In-Depth

Secure Coding Principles

Lab: Environment Setup - Lab


OWASP TOP 10

The Open Web Application Security Project (OWASP)

OWASP TOP 10 2013

Lab: Environment Setup - Lab


Threat Modeling & Risk Management

Threat Modeling Tools & Resources

Identify Threats

Identify Countermeasures

Choosing a Methodology

Post Threat Modeling

Analyzing and Managing Risk

Incremental Threat Modeling

Identify Security Requirements

Understand the System

Root Cause Analysis

Lab: Threat Modeling and Architecture Risk Analysis

Lab: Quick Threat Modeling (the Doctor use case)


Application Mapping

Application Mapping

Web Spiders

Web Vulnerability Assessment

Discovering other content

Application Analysis

Application Security Toolbox

Setting up a Testing Environment

Lab: Web Application Mapping using Ethical Hacking Tools


Authentication and Authorization Attacks

Authentication

Different Types of Authentication (HTTP, Form)

Client Side Attacks

Authentication Attacks

Authorization

Modeling Authorization

Least Privilege

Access Control

Authorization Attacks

Access Control Attacks

User Management

Password Storage

User Names

Account Lockout

Passwords

Password Reset

Client-Side Security

Anti-Tampering Measures

Code Obfuscation

Anti-Debugging

Lab: Client Side, Authentication and Authorization Attacks


Session Management Attacks

Session Management Attacks

Session Hijacking

Session Fixation

Environment Configuration Attacks

Lab: Session Management, Access Controls and Configuration Attacks


Application Logic Attacks

Application Logic Attacks

Information Disclosure Exploits

Data Transmission Attacks

Lab: Application Logic, Information Disclosure and Data Transmission Attacks


Data Validation

Input and Output Validation

Trust Boundaries

Common Data Validation Attacks

Data Validation Design

Validating Non-Textual Data

Validation Strategies & Tactics

Errors & Exception Handling

Structured Exception Handling

Designing for Failure

Designing Error Messages

Failing Securely

Lab: Cert Java Oracle Secure Coding IDS


AJAX Attacks

AJAX Attacks

Web Services Attacks

Application Server Attacks

Lab: AJAX, Web Services and Server Attacks


Code Review and Security Testing

Insecure Code Discovery and Mitigation

Testing Methodology

Client Side Testing

Session Management Testing

Developing Security Testing Scripts

Pentesting a Web Application

Lab: Performing Code review and Building Security Test Scripts


Web Application Penetration Testing

Insecure Code Discovery and Mitigation

Benefits of a Penetration Test

Current Problems in WAPT

Learning Attack Methods

Methods of Obtaining Information

Passive vs. Active Reconnaissance

Footprinting Defined

Introduction to Port Scanning

OS Fingerprinting

Web Application Penetration Methodologies

The Anatomy of a Web Application Attack

Fuzzers

Lab: Performing Web Application PenTesting steps


Secure SDLC

Secure-Software Development Lifecycle (SDLC)

Methodology

Web Hacking Methodology

Lab: Case Study and Web Penetration Testing Assignment


Cryptography

Overview of Cryptography

Key Management

Cryptography Application

True Random Generators (TRNG)

Symmetric/Asymmetric Cryptography

Digital Signatures and Certificates

Hashing Algorithms

XML Encryption and Digital Signatures

Authorization Attacks

Lab: Encryption in Secure Coding (Example for Java, PHP and .NET)


Appendix: Labs

Introduction & Instructions

Exercise 1: Logging into WebGoat

Exercise 2: Running WebScarab

Exercise 3: Manipulating Data


Spoofing Authentication Cookies


How to Perform Cross Site Scripting (XSS)

Injection flaws

Exercise 1: SQL Injection

Exercise 2: String SQL Injection

Exercise 3: String SQL Injection


Improper Error Handling

Exercise 1 - Fail Open Authentication

Parameter Tampering

Denial of Service

Writing Java Secure Code

Input Validation and Data Sanitization (IDS)

IDS00-J. Sanitize untrusted data passed across a trust boundary

Input Validation and Data Sanitization (IDS)

IDS02-J. Canonicalize path names before validating them

Input Validation and Data Sanitization (IDS)

IDS03-J. Do not log unsanitized user input

Input Validation and Data Sanitization (IDS)

IDS04-J. Safely extract files from ZipInputStream

Input Validation and Data Sanitization (IDS)

IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method


Status

Active

Technology

CyberSecurity

Category

Cybersecurity

SubCategory

Application Security and Secure Coding

Details

Certified Secure Web Application Engineer

Attachments

Version: 4.0
Created at 5/12/2015 3:52 PM by Cole
Last modified at 6/29/2015 11:40 AM by GSATRAIN\Administrator