Home > Course Catalog > Security > Web Development Security

Secure Web Application Development Training

This outline is also available in these languages: ??languagelist??

Course #:

WDSE-120

Format:

Classroom

Duration:

2 days

Price*:

1,340.00 USD

Professional Development Units:

Continuing Development Units:

Course Tier: ??Tier??

Per Student Kit Price: ??KitPricePerStudent??

ibm

Delivery Options:

Public Scheduled Classes - Register for classes below Search Catalog Sign Up to be notified
Self-Paced Training - Purchase below Search Catalog
Public Scheduled Webinar - Register below Sign Up to be notified
Webinar Recording - View Now

Custom Group Training - Request a proposal



See all
Format
 
Self-Paced
Purchase ??country-to-buy-from?? course Add to Cart
here's the message from the cart

To view the cart, you can click "View Cart" on the right side of the heading on each page
Close


 
Classes marked with a are Guaranteed to Run on the scheduled dates.
 

There are ??othercoursecount?? similar courses in different countries and/or formats.Click here to see them.

Need a customized class for your group? Contact Us.

No classes scheduled? Sign Up to be notified when new classes are added.


*Public Price per Student


This course is designed to provide students with the knowledge necessary to produce secure web applications, integrating security measures into the development process from requirements to deployment and maintenance. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development lifecycle. This course is short on theory and long on application, providing students with in-depth, code-level demonstrations and walk-throughs. This course is taught in a language-neutral fashion, with demonstrations from several languages to illustrate patterns and techniques.

This course is on the intermediate level. It is in seminar format with lecture combined with open discussions and high-level demonstrations.

 


Upon completion of the course, students will be able to:
  • Explain potential sources for untrusted data
  • Describe the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Explain the vulnerabilities of associated with authentication and authorization
  • Detect, attack and implement defenses for authentication and authorization functionality and services
  • Describe the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Detect, attack and implement defenses against XSS and Injection attacks
  • Explain the concepts and terminology behind defensive, secure coding
  • Descibe the use of Threat Risk Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in web applications
  • Design and develop strong, robust authentication and authorization implementations
  • Explain the fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
  • Detect, attack and implement defenses for XML-based services and functionality
  • Describe techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
  • Analyze and implement the processes and measures associated with the security development lifecycle (SDL)
  • Acquire the skills, tools and best practices for design and code reviews as well as testing initiatives
  • List the basics of security testing and planning
  • Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses

  • Web Developers
  • Project Stakeholders

  • Basic experience with a programming language

  1. Foundation
    • Security concepts
      • Terminology and players
      • Assets, threats and attacks
      • OWASP
    • Principles of defensive coding
    • Reality
      • Survey of recent, relevant incidents
      • Lab to find the security defects in an existing web application
  2. Top Security Vulnerabilities
    • Unvalidated input
      • Description with working example
      • Defenses
      • Identifying trust boundaries
      • Qualifying untrusted data
      • Implementing a layered defense that effectively protects quality of service as well as data integrity
      • Designing an appropriate response to a recognized attack
      • Testing defenses and responses for weaknesses
    • Overview of regular expressions
      • Description with working example
    • Broken access control
      • Description with working example
      • Defenses
      • Authorization security overview
      • Defending special privileges such as administrative functions
      • Application authorization best practices
    • Broken authentication and session management
      • Description with working example
      • Defenses
      • Multi-layered defenses of authentication services
      • Password management strategies
      • Password handling with hashing
      • Mitigating password caching
      • Testing defenses and responses for weaknesses
      • Alternative authentication mechanisms
      • Best practices for session management
      • Defending session hijacking attacks
      • Best practices for Single Sign-On (SSO)
    • Cross Site Scripting (XSS) flaws
      • Description with working example
      • Defenses
      • Character encoding complications
      • Blacklisting
      • Whitelisting
      • HTML/XML entity encoding
      • Understanding the implications of trust boundary definition
      • Implementing a layered defense that effectively protects quality of service as well as XSS vulnerabilities
      • Designing an appropriate response to a recognized attack
    • Injection flaws
      • Description with working example
      • Defenses
      • Qualifying untrusted data
      • Hibernate best practices
      • XML best practices
      • Third party APIs
      • Implementing a layered defense that effectively protects quality of service as well as injection vulnerabilities
      • Designing an appropriate response to a recognized attack
    • Error handling and information leakage
      • Description with working example
      • Defenses
      • Web application exception handling framework
      • Error response best practices
      • Error, auditing and logging content management
      • Error, auditing and logging service management
      • Best practices for supporting web attack forensics
    • Insecure storage
      • Description with working example
      • Defenses
      • Data leakage
      • Risk minimization
      • Cryptography overview
      • Data encryption
      • Partial/complete
      • Property/deployment/configuration files
    • Insecure management of configuration
      • Description with working example
      • Defenses
      • System hardening
      • Server configuration “gotchas!”
      • Hardening software installation
    • Direct object access
      • Description with working example
      • Defenses
      • XML/DTD/Schema/XSLT best practices
    • Spoofing
      • Description with working example
      • Defenses
      • Protecting your clients
      • Defending against Cross Site request forgeries
      • Phishing defenses
  3. Best Practices
    • Defensive coding principles
      • Attack surface management
      • Application states
      • Defense in depth
      • Not trusting the untrusted
      • No security through obscurity
      • Security defect mitigation
      • Leverage experience
  4. Defending XML Processing
    • Defending XML
      • Understanding common attacks and how to defend
      • Operating in safe mode
      • Using standards-based security
      • XML-aware security infrastructure
    • Defending Web services
      • Security exposures
      • Transport-level security
      • Message-level security
      • WS-Security
      • Attacks and defenses
    • Defending Ajax
      • Ajax security exposures
      • Attack surface changes
      • Injection threats and concerns
      • Effective defenses and practices
  5. Security Development Lifecycle (SDL)
    • SDL process overview
    • Applying processes and practices
    • Risk analysis
  6. Security Testing
    • Testing tools and processes
      • Principles
      • Reviews
      • Testing
      • Tools
    • Testing Practices
      • Authentication testing
      • Session management testing
      • Data validation testing
      • Denial of service testing
      • Web services testing
      • Ajax testing
  7. Appendix: Security Design Patterns
    • Design patterns introduction
    • Web application security design patterns
      • Authentication enforcer
      • Authorization enforcer
      • Intercepting validator
      • Secure base action
      • Secure logger
      • Secure pipe
      • Secure service proxy
      • Intercepting Web agent

??Testimonials??


This course is included in the following Roadmaps:

Do you have an IBM EdPack?

Find out why you should transfer to a LearnPass

Check Out the LearnQuest Blog

Read More.

Learn how you can save up to 20% on LearnPass

Click to find out more.

LearnQuest is an Authorized IBM Global Training Provider

Learn more about IBM training with LearnQuest

Training Roadmaps

Training roadmaps can help you plan your course to success

Events

LearnQuest attends and exhibits regularly at industry events.

See what some of our clients have said about us

View client testimonials
View a list of LearnQuest clients.