Maxtrain.com - info@maxtrain.com - 513-322-8888 - 866-595-6863
Certified Secure Web Application Engineer
Description
Certified Secure Web Application Engineer C)SWAE Training Introduction:
The Certified Secure Web Application Engineer (CSWAE) program is tailored for individuals experienced in web application development who aspire to strengthen their skills and enhance web application security. This comprehensive course covers secure design architecture, threat modeling, risk management, and practical coding techniques crucial for building robust and resilient web applications.
Certified Secure Web Application Engineer C)SWAE Training Course Objectives:
In the CSWAE course, you will:
- Develop a profound understanding of web application security principles.
- Acquire knowledge and skills in secure design architecture.
- Master threat modeling and risk management techniques.
- Learn practical coding methods to create secure web applications.
- Be fully prepared to earn the Certified Secure Web Application Engineer certification.
Certified Secure Web Application Engineer C)SWAE Training Course Outline:
Module 1: Introduction to Web Application Security
- Emphasizes the significance of web application security.
- Explores web application technologies and architecture.
- Covers secure design architecture principles.
- Addresses common application flaws and defense mechanisms.
- Highlights the principles of defense-in-depth.
- Provides guidance on secure coding best practices.
Module 2: OWASP TOP 10
- Offers an overview of the Open Web Application Security Project (OWASP).
- Provides in-depth coverage of OWASP TOP 10 for 2017 & 2018.
Module 3: Threat Modeling & Risk Management
- Introduces tools and resources for threat modeling.
- Guides in identifying threats and countermeasures.
- Explores methodologies for threat modeling.
- Covers the analysis and management of risk.
- Discusses incremental threat modeling.
- Addresses security requirements identification.
- Offers insights into system analysis and root cause analysis.
Module 4: Application Mapping & Analysis
- Explores techniques for mapping web applications.
- Discusses web spiders and vulnerability assessment.
- Includes methods for discovering hidden content and application analysis.
- Introduces the application security toolbox.
- Provides guidance on setting up a testing environment.
Module 5: Authentication and Authorization Attacks
- Examines authentication types and associated attacks.
- Discusses modeling authorization and access control.
- Addresses authorization attacks and user management.
- Provides insights into password storage and security measures.
Module 6: Session Management Attacks
- Highlights common session management vulnerabilities.
- Covers session hijacking and fixation.
- Discusses environment configuration attacks.
Module 7: Application Logic Attacks
- Explores application logic vulnerabilities and exploitation.
- Addresses information disclosure and data transmission attacks.
Module 8: Data Validation
- Covers input and output validation.
- Discusses trust boundaries and data validation attacks.
- Provides guidance on designing validation strategies and tactics.
- Addresses the secure handling of errors and exceptions.
Module 9: AJAX Security
- Focuses on securing AJAX applications.
- Discusses web services and application server security.
- Offers protection against AJAX-related attacks.
Module 10: Code Review and Security Testing
- Identifies insecure code and mitigation strategies.
- Explores security testing methodologies.
- Covers client-side and session management testing.
- Provides guidance on developing security testing scripts.
- Includes web application penetration testing.
Module 11: Secure Software Development Lifecycle (SDLC)
- Offers an overview of the secure SDLC methodology.
- Explores the web hacking methodology.
Module 12: Cryptography
- Covers the fundamentals of cryptography.
- Discusses key management and encryption techniques.
- Addresses digital signatures, certificates, and hashing algorithms.
- Highlights authorization attacks involving cryptography.
Module 13: Hands-on Labs Using Kali Linux
- Provides practical exercises covering various security topics.
Annex: Alternative Labs
- Includes additional labs for hands-on practice and reinforcement.
Certified Secure Web Application Engineer C)SWAE Exam Information:
The Certified Secure Web Application Engineer exam is administered online through Mile2’s user-friendly Learning Management System (LMS).
- Duration: The exam will have a duration of approximately 2 hours.
- Question Type: It will consist of 100 multiple-choice questions.
- To successfully earn your certification as a Certified Secure Web Application Engineer (CSWAE), you must achieve a minimum passing grade of 70% on the exam.
Mile2 is Accredited by the NSA-CNSS, Approved on Homelands Security NICCS Framework, and is on the FBI’s Tier 1-3 Certification Training Chart.
Outline
Module 1: Web Application Security
- Web Application Security
- Web Application Technologies and Architecture
- Secure Design Architecture
- Application Flaws and Defense Mechanisms
- Defense In-Depth
- Secure Coding Principles
Module 2: OWASP TOP 10
- The Open Web Application Security Project (OWASP)
- OWASP TOP 10 for 2017 & 2018
- Module 3: Threat Modeling & Risk Management
- Threat Modeling Tools & Resources
- Identify Threats
- Identify Countermeasures
- Choosing a Methodology
- Post Threat Modeling
- Analyzing and Managing Risk Incremental Threat Modeling
- Identify Security Requirements
- Understand the System
- Root Cause Analysis
Module 4: Application Mapping
- Application Mapping
- Web Spiders
- Web Vulnerability Assessment
- Discovering other content
- Application Analysis
- Application Security Toolbox
- Setting up a Testing Environment
Module 5: Authentication and Authorization attacks
- Authentication
- Different Types of Authentication (HTTP, Form)
- Client Side Attacks
- Authentication Attacks
- Authorization
- Modeling Authorization
- Least Privilege
- Access Control
- Authorization Attacks
- Access Control Attacks
- User Management
- Password Storage
- User Names
- Account Lockout
- Passwords
- Password Reset
- Client-Side Security
- Anti-Tampering Measures
- Code Obfuscation
- Anti-Debugging
Module 6: Session Management attacks
- Session Management Attacks
- Session Hijacking
- Session Fixation
- Environment Configuration Attacks
Module 7: Application Logic attacks
- Application Logic Attacks
- Information Disclosure Exploits
- Data Transmission Attacks
Module 8: Data Validation
- Input and Output Validation
- Trust Boundaries
- Common Data Validation Attacks
- Data Validation Design
- Validating Non-Textual Data
- Validation Strategies & Tactics
- Errors & Exception Handling
- Structured Exception Handling
- Designing for Failure
- Designing Error Messages
- Failing Securely
Module 9: AJAX attacks
- AJAX Attacks
- Web Services Attacks
- Application Server Attacks
Module 10: Code Review and Security Testing
- Insecure Code Discovery and Mitigation
- Testing Methodology
- Client Side Testing
- Session Management Testing
- Developing Security Testing Scripts
- Pen testing a Web Application
Module 11: Web Application Penetration Testing
- Insecure Code Discovery and Mitigation
- Benefits of a Penetration Test
- Current Problems in WAPT
- Learning Attack Methods
- Methods of Obtaining Information
- Passive vs. Active Reconnaissance
- Footprinting Defined
- Introduction to Port Scanning
- OS Fingerprinting
- Web Application Penetration Methodologies
- The Anatomy of a Web Application Attack
- Fuzzers
Module 12: Secure SDLC
- Secure-Software Development Lifecycle (SDLC) Methodology
- Web Hacking Methodology
Module 13: Cryptography
- Overview of Cryptography
- Key Management
- Cryptography Application
- True Random Generators (TRNG)
- Symmetric/Asymmetric Cryptography
- Digital Signatures and Certificates
- Hashing Algorithms
- XML Encryption and Digital Signatures Authorization Attacks
- NOTE: Student will use Kali Linux
Detailed Outline:
Module 1 – Environment Setup and Architecture
- Exercise 1 – VM Image Preparation
- Exercise 2 – Checking Network connectivity between all VMs
- Exercise 3 – Discovering your class share (Optional, ask the Instructor)
- Exercise 4 – Navigating Linux Attack v3
- Exercise 5 – Proxy Setup – Setting up Burp Suite
- Exercise 6 – Setting up Paros
- Exercise 7 – Setting up WebScrab
Module 2 – OWASP TOP 10 2013
- Exercise 1- Injection Flaws – SQL Injection (AltoroMutual banking site)
- Exercise 2- Injection Flaws – String SQL Injection (OWASP Broken Apps WebGoat)
- Exercise 3- Cross Site Scripting (XSS)
- Exercise 4 – Cross Site Request Forgery (CSRF)
Module 3 – Threat Modeling
- Exercise 1 – Application Risk Assessment
- Exercise 2: Define the Entry Points
- Exercise 3: Define the Assets
- Exercise 4: Define User Access
- Exercise 5: Identify and Rate Risks
- Exercise 6: Identify Security Controls
- Exercise 7: Identify Threats
Module 04 – Application Mapping & Analysis
- Exercise 1 – Enumerating Content and Functionality
- Exercise 2 – User-Directed Spidering
- Exercise 3 – Discovering hidden content
- Exercise 4 – Brute-Force Techniques brute force DVWA
- Form Based Authentication
- Attacking Web Authentication
Module 5 – Authentication and Authorization attacks
- Exercise 1 – Missing Function Level Access Control
- Exercise 2 – Sensitive Data Exposure
- Exercise 3 – Security Misconfiguration
- Exercise 4 – Using Components with Known Vulnerabilities
Module 06 – Session Management attacks
- Exercise 1 – Hijack a Session
- Exercise 2 – Spoof an Authentication Cookie
- Exercise 3 – Session Fixation
- Exercise 4 – Broken Authentication and Session Management (AltoroMutual banking)
Module 9 – AJAX Security
- Exercise 1: Same Origin Policy Protection
- Exercise 2: DOM-Based cross-site scripting
- Exercise 3: Client Side Filtering
Module 10 – Code Review and Security Testing
Lab 10-1 – Code Review
- Exercise 1: Account Retriever
- Exercise 2: FileUpload
- Exercise 3: XMLHelper
Lab 10-2 Security Test Scripts
- Exercise 1: Create Test Scripts
Lab 10-3 Writing Java Secure Cod Annex: Alternatives Labs
Lab 11-1: WebGoat & WebScarab
- Exercise 11-1.1: Logging into WebGoat
- Exercise 11-1.2: Running WebScarab
- Exercise 11-1.3: Manipulating Data
Lab 11-2: WebGoat – Cross Site Request Forgery (CSRF)
Lab 11-3: Missing Function Level Access Control
Lab 11-4: Perform Forced Browsing Attacks
PreRequisites
• A minimum of 24 months’ experience in software technologies & security
• Sound knowledge of networking
• At least one coding Language
• Linux understanding
• Open shell
Audience
The Certified Secure Web Application Engineer Certification Course is designed for those have a background in web application development and want to have the skill set to make their applications secure. While not required, we recommend being familiar with general cyber security topics, including those taught in our C)ISSO: Information Systems Security Officer course.
- Pen Testers
- Security Officers
- Ethical Hackers
- Network Auditors
- Vulnerability assessors
- System Owners and Managers
- Cyber Security Engineers
$3500.00
|
5 Days Course |